0

我遇到了一些(应该很简单)代码的问题。我从表单中获取信息并尝试在数据库中回显与表单规范匹配的条目。我认为我的 HTML 是正确的,而我的问题在于 PHP。这是我需要帮助的代码:

<?php
    $submit = @$_POST['submit'];
    $gender = $_POST['gender'];
    $hair = $_POST['hair'];
    $height = $_POST['height'];
    $body = $_POST['body'];

    if ($submit){
        //open database
        $connect = mysql_connect("xxxx", "xxxx", "xxxx") or die("Couldnt Connect to Server");
        mysql_select_db("xxxx") or die("Couldnt find database"); 

        $query = mysql_query("SELECT * FROM `table` WHERE `gender`='$gender' AND `hair`='$hair' AND `height`='$height' AND `body`='$body'");
        $query_run = mysql_query($query);

        if ($query_run = mysql_query($query)) {
            while ($query_row = mysql_fetch_assoc($query_run)) {
                $pic = $query_row['picture'];
            };
        };
    };

?>

这是一个自我提交页面<form action='thispage.php' method='post'>。稍后在空白处的页面下方是我要回显 $pic 的地方。

这种方法是正确的/最好的方法吗?如果需要,我将发布整个页面的代码。现在只有75行。

在我被告知我应该使用 SQLi 之前,这更像是一个概念证明,更重要的是我不知道如何从 SQL 到 SQLi 进行更改。

编辑:在表单中,只有选项,没有文本输入(如果重要的话)

4

2 回答 2

0

这是我使用现代库的方法

// check that all required POST parameters are present
if (isset($_POST['submit'], $_POST['gender'], $_POST['hair'], $_POST['height'],
    $_POST['body'])) {

    // create DB connection
    $pdo = new PDO('mysql:host=localhost;dbname=xxxx;charset=utf8',
        'xxxx', 'xxxx');

    // set error mode and use real prepared statements if possible
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

    // prepare an SQL statement with parameter placeholders
    // I changed the * to just `picture` as that's all you were using in your OP
    $stmt = $pdo->prepare('SELECT `picture` FROM `table` WHERE `gender` = ? AND `hair` = ? AND `height` = ? AND `body` = ?');

    // execute with the POST parameters
    $stmt->execute(array(
        $_POST['gender'],
        $_POST['hair'],
        $_POST['height'],
        $_POST['body']
    ));

    // load all "picture" results into an array
    $pics = array();
    while ($pic = $stmt->fetchColumn()) {
        $pics[] = $pic;
    }
}
于 2013-07-30T05:50:34.560 回答
-3 
$query = mysql_query("SELECT * FROM `table` WHERE `gender`='$gender' AND `hair`='$hair' AND `height`='$height' AND `body`='$body'");
  $query_run = mysql_query($query);

  if ($query_run = mysql_query($query)) {

  while ($query_row = mysql_fetch_assoc($query_run)) {
     $pic = $query_row['picture'];
    };
 };

应该

 $query = "SELECT * FROM `table` WHERE `gender`='$gender' AND `hair`='$hair' AND `height`='$height' AND `body`='$body'";

  if ($query_run = mysql_query($query)) {

  while ($query_row = mysql_fetch_assoc($query_run)) {
     $pic = $query_row['picture'];
    };
 };

$query = mysql_query ("SELECT * FROM `表............

$query_run = mysql_query($query); 额外的

于 2013-07-30T05:32:10.773 回答