0

我有一个当天的函数调用资源,我已将其复制并更改为 Editors Picks。该函数在数据库中查找并根据值和今天的日期抓取随机图像。

这是 SQL 行:

sql_value(
    "select resource value 
     from resource_data 
     where resource > 5 and 
           resource_type_field=$rotd_field and 
           value like '" . date("Y-m-d") . "%' limit 1;"
   ,0);

我想尝试调整这条线来拉入一个集合,这是拉入一个集合图像的 SQL 行:

sql_query("select collection.ref, 
                  collection.home_page_publish, 
                  collection.home_page_text,
                  collection.home_page_image,
                  resource.thumb_height,
                  resource.thumb_width 
           from collection 
           left outer join resource on collection.home_page_image=resource.ref 
           where collection.public=1 and
                 collection.home_page_publish=1"
                 .$filterClause.
           " order by collection.ref desc");

有谁知道如何调整顶部 SQL 行来提取集合信息,例如,我可以将日期函数更改为其他内容吗?

这是为代码提供动力的 2 页:

主页.php

<?php

function HookEditorsPickHomeReplaceslideshow ()
    {
    include_once dirname(__FILE__)."/../inc/rotd_functions.php";

    global $baseurl, $view_title_field;

    $rotd=get_editors_pick();
    if ($rotd===false) {return false;} # No ROTD, return false to disable hook and display standard slide show.

    # Get preview width
    $sizes = get_image_sizes($rotd, true);
    foreach ($sizes as $size)
        {
        if ($size["id"]=="pre")
            {
            $width = $size["width"];
            break;
            }
        }


    # Fetch title
    $title = sql_value("select value from resource_data where resource='$rotd' and resource_type_field=$view_title_field","");

    # Fetch caption
    $caption=sql_value("select value from resource_data where resource='$rotd' and resource_type_field=18","");

    # Show resource!
    $pre=get_resource_path($rotd,false,"pre",false,"jpg");
    ?>
    <div class="HomePicturePanel" style="width: <?php echo $width ?>px; background-color:#f1f1f1; height: 409px;">
    <a onClick="return CentralSpaceLoad(this,true);" href="<?php echo $baseurl?>/pages/view.php?ref=<?php echo $rotd ?>"><img class="ImageBorder" style="margin-bottom: 0px; margin-top: 0px; border:#CCC; solid: 0px;" src="<?php echo $pre ?>" /></a>
    <br />
    <div class="ResourceOfTheDayHead">Our Resource of the day</div>

    <div class="ResourceOfTheDayText"><?php echo i18n_get_translated(htmlspecialchars($title)) ?></div>
    <div class="ResourceOfTheDayCaption"><?php echo $caption ?></div>
</div>
    <?php

    return true;
    }


?>

这是:rotd.functions.php

<?php

function get_editors_pick()
    {
    global $rotd_field;


    # Search for today's resource of the day.
    $rotd = sql_value("select resource value from resource_data where resource>5 and resource_type_field=$rotd_field and value like '" . date("Y-m-d") . "%' limit 1;",0);
    if ($rotd!=0) {return $rotd;} # A resource was found?


    # No resource of the day fields are set. Return to default slideshow functionality.
    return false;
    }

?>
4

1 回答 1

0

我不熟悉 php,但这个伪代码可能很有用。

string whereClause = "WHERE ";
for each (item in collection)
{
  whereClause = whereClause + " " + item;
}

string sqlQuery = "SELECT stuff, otherStuff FROM myTable " + whereClause + " ORDER BY thing2";

如果未清理 where 子句中的项目,则可能发生 SQL 注入。网上有很多关于如何防止这种情况的示例,但最好的方法是使用参数而不是像上面显示的动态 SQL。

于 2013-07-26T18:01:22.067 回答