-3

这是参数化之前的sql查询。我试图参数化代码以防止 sql 注入攻击。Bansi 帮助我解决了这个问题。他的答案在下面打勾

下面的代码是我们要参数化的。

$sqlCommand = "(SELECT * FROM products WHERE product_name LIKE '%$searchquery%' OR details LIKE '%$searchquery%' OR category LIKE '%searchquery%' OR subcategory LIKE '%searchquery%' OR price LIKE '%searchquery%') ";
} 
require_once("storescripts/connect_to_mysqli.php");
$query = mysqli_query($myConnection,$sqlCommand) or die(mysqli_error($myConnection));
$count = mysqli_num_rows($query);
if($count >= 1){
    $search_output .= "<hr />$count results for <strong>$searchquery</strong><hr />";
    while($row = mysqli_fetch_array($query)){

并且应该根据bansi的答案将其更改为下面的代码。关键部分如下

require_once ("storescripts/connect_to_mysqli.php");
$stmt = $myConnection->prepare('SELECT id, product_name, price FROM products WHERE product_name LIKE ? OR details LIKE ? OR category LIKE ? OR subcategory LIKE ? OR price LIKE ?');
$param = "%$searchquery%";
$stmt->bind_param('sssss', $param, $param, $param, $param, $param);
$stmt->execute();
/* store result */
$stmt->store_result();
/* get the row count */
$count = $stmt->num_rows;
if ($count >= 1) {
    $search_output = "<hr />$count results for <strong>$searchquery</strong><hr />";
    $stmt->bind_result($id, $product_name, $price);

    while ($stmt->fetch()) {
        printf("%s %s %s\n", $id, $product_name, $price);
4

3 回答 3

2

问题在于您在准备好的声明中的引用。正确的做法是省略引号周围的单引号。如果您需要在引号内使用引号,您可以在单引号内使用双引号。

这是解决方案:

$stmt = $myConnection->prepare('SELECT * FROM products WHERE product_name LIKE ? OR details LIKE ? OR category LIKE ? OR subcategory LIKE ? OR price LIKE ?');

制作这样的字符串时的另一种选择是将字符串与 .'s 连接在一起。像这样:

$字符串 = $旧字符串。“ 你好”;

于 2013-08-17T03:48:18.837 回答
1

下面的代码工作并给你结果,但它没有正确显示结果如何修改 $search_output?

<?php

$search_output = "";

if (isset($_POST['searchquery']) && $_POST['searchquery'] != "") {
    $searchquery = preg_replace('/[^a-zA-Z0-9_ %\[\]\/\.\(\)%&-]/s', '', $_POST['searchquery']);
    if ($_POST['filter1'] == "Products") {
        require_once ("storescripts/connect_to_mysqli.php");
        //syntax error string not quoted properly
        $stmt = $myConnection->prepare('SELECT * FROM products WHERE product_name LIKE ? OR details LIKE ? OR category LIKE ? OR subcategory LIKE ? OR price LIKE ?');
        $param = "%$searchquery%";
        $stmt->bind_param('sssss', $param , $param , $param , $param , $param);
        $stmt->execute();
        $stmt->bind_result($id, $product_name, $price);

        while ($stmt->fetch()) {
            printf("%s %s %s\n", $id, $product_name, $price);
            $search_output .= "
            <li><div class='product'>
            <a href='product.php?id=$id' class='info'>
            <span class='holder'>
            <img src='inventory_images/$id.jpg' alt='$product_name' />
            <span class='book-name'>$product_name</span>
            </a>
             <a href='product.php?id=$id' class='buy-btn'>RM<span class='price'>$price</span></a>
            </div>
            </li>

            ";
        }//While loop was not closed

    } else {
        $search_output = "<hr />0 results for <strong>$searchquery</strong><hr />";
    }
}
?>

你有 2 个语法错误。编辑以修复绑定语句并更改 sql

<?php

$search_output = "";

if (isset($_POST['searchquery']) && $_POST['searchquery'] != "") {
    $searchquery = preg_replace('/[^a-zA-Z0-9_ %\[\]\/\.\(\)%&-]/s', '', $_POST['searchquery']);
    if ($_POST['filter1'] == "Products") {
        require_once ("storescripts/connect_to_mysqli.php");
        //syntax error string not quoted properly
        $stmt = $myConnection->prepare('SELECT * FROM products WHERE product_name LIKE ? OR details LIKE ? OR category LIKE ? OR subcategory LIKE ? OR price LIKE ?');
        $param = "%$searchquery%";
        $stmt->bind_param('sssss', $param , $param , $param , $param , $param);
        $stmt->execute();
        $stmt->bind_result($product_name, $price);

        while ($stmt->fetch()) {
            printf("%s %s\n", $product_name, $price, $totalpoints);

            $search_output .= "
            <li><div class='product'>
            <a href='product.php?id=$id' class='info'>
            <span class='holder'>
            <img src='inventory_images/$id.jpg' alt='$product_name' />
            <span class='book-name'>$product_name</span>
            </a>
             <a href='product.php?id=$id' class='buy-btn'>RM<span class='price'>$price</span></a>
            </div>
            </li>

            ";
        }//While loop was not closed

    } else {
        $search_output = "<hr />0 results for <strong>$searchquery</strong><hr />";
    }
}
?>

您还需要绑定所有 5 个参数更改以下行。

$stmt->bind_param('s', '%$searchquery%');

编辑:

$stmt->bind_result($product_name, $price);

如果第三列是总分,则应如下所示。*使用时不可能知道列名select

$stmt->bind_result($product_name, $price, $totalpoints);


printf("%s %s\n", $product_name, $price, $totalpoints);


printf("%s %s %s\n", $product_name, $price, $totalpoints);

要不就

echo "$product_name $price $totalpoints\n";

获取执行语句后的总使用量。

$count = $stmt->num_rows;

编辑 2 检查这是否也有效。

$search_output = "";

if (isset($_POST['searchquery']) && $_POST['searchquery'] != "") {
    $searchquery = preg_replace('/[^a-zA-Z0-9_ %\[\]\/\.\(\)%&-]/s', '', $_POST['searchquery']);
    if ($_POST['filter1'] == "Products") {
        require_once ("storescripts/connect_to_mysqli.php");
        $stmt = $myConnection->prepare('SELECT id, product_name, price FROM products WHERE product_name LIKE ? OR details LIKE ? OR category LIKE ? OR subcategory LIKE ? OR price LIKE ?');
        $param = "%$searchquery%";
        $stmt->bind_param('sssss', $param, $param, $param, $param, $param);
        $stmt->execute();
        /* store result */
        $stmt->store_result();
        /* get the row count */
        $count = $stmt->num_rows;
        if ($count >= 1) {
            $search_output = "<hr />$count results for <strong>$searchquery</strong><hr />";
            $stmt->bind_result($id, $product_name, $price);

            while ($stmt->fetch()) {
                printf("%s %s %s\n", $id, $product_name, $price);
                $search_output .= "
                <li><div class='product'>
                <a href='product.php?id=$id' class='info'>
                <span class='holder'>
                <img src='inventory_images/$id.jpg' alt='$product_name' />
                <span class='book-name'>$product_name</span>
                </a>
                 <a href='product.php?id=$id' class='buy-btn'>RM<span class='price'>$price</span></a>
                </div>
                </li>

                ";
            }
        } else {
            $search_output = "<hr />0 results for <strong>$searchquery</strong><hr />";
        }

    } else {
        $search_output = "<hr />0 results for <strong>$searchquery</strong><hr />";
    }
}
于 2013-08-17T03:49:51.063 回答
0

您的第一个问题是您没有正确参数化查询。您过早地终止了字符串并?从语言解释器的上下文中插入了 a 。这显然会导致语法错误。

在不破坏字符串的情况下插入参数。

->prepare('SELECT * FROM products WHERE product_name LIKE ? OR details LIKE ? OR category` LIKE ? OR subcategory LIKE ? OR price LIKE ?');

现在你有 5 个参数。您需要为所有 5 个参数提供值,如下所示。

$stmt->bind_param('sssss', "%$searchquery%", "%$searchquery%", "%$searchquery%", "%$searchquery%", "%$searchquery%");

我还注意到您在变量中使用了单引号 ( ') 。%$searchquery%您将需要使用双引号",因为单引号不会扩展您的变量。

于 2013-08-17T03:49:33.363 回答