0

我有这个新闻系统,但我不知道怎么做:news.php?id=1然后它会输出新闻 id 1。请帮忙。

到目前为止我有这个:

<?php
include_once('includes/config.php');
if($id != "") {
    $id = mysql_real_escape_string($id);
    $sql = mysql_query("SELECT * FROM news WHERE id = '$id'");
}
$res = mysql_query($sql);
while($row = mysql_fetch_assoc($res)){
if(isset($_GET['id']));
    echo $res['body'];
}
?>

它连接到数据库(详细信息存储在配置中)。

4

3 回答 3

3

后面的参数?URL 中是 GET 项。用这个:

<?php

if (isset($_GET['id'])) {

    $id = $_GET['id'];
    // Rest of your code

}
于 2013-09-06T22:58:40.677 回答
1
<?php
include_once('includes/config.php');

// see if the id is set in the URL (news.php?id=)
if(isset($_GET['id'])) {

    // get the ID from the URL
    // to make it safer: strip any tags (if it's a number we could cast it to an integer)
    $id = strip_tags($_GET['id']);

    // don't use SELECT *, select only the fields you need
    $sql = mysql_query("SELECT body FROM news WHERE id=".mysql_real_escape_string($id));

    while($row = mysql_fetch_assoc($sql)) {
        echo $res['body'];
    }
} else {
    echo 'please select an article';
}

我建议您不要使用这些mysql功能,mysqli而是使用它,因为mysql它已被贬值,您必须学习mysqliPDO无论如何。

编辑:根据评论更新代码

于 2013-09-06T23:05:23.470 回答
1

首先让我们剖析你当前的代码,看看你哪里出错了。

<?php
include_once('includes/config.php');
/*
$id is not set anywhere before its used so this if statement will not fire,
if you are attempting to get this $id from a url parameter then you need
to set it first from $_GET['id'] global
*/
if($id != "") {
    $id = mysql_real_escape_string($id);
    $sql = mysql_query("SELECT * FROM news WHERE id = '$id'");
}
/*
This piece of code will fire but where is $sql set?
The mysql_query() function expects a string containing your sql query
so the subsequent lines of code will fail because of this
*/
$res = mysql_query($sql);
while($row = mysql_fetch_assoc($res)){
    //this block is in the wrong place
    if(isset($_GET['id']));
    echo $res['body'];

}
?>

这个想法是首先从 url 获取用户输入 EG $_GET['id'],检查该值是您要查找的值,然后构建您的查询。

由于这些mysql_*功能已被弃用,我将向您展示一个使用 PDO 的示例。尽管您可以使用 mysqli,但是当用户值与您的数据库接触时,您必须始终使用准备好的查询。这是为了阻止讨厌的/意外的 sql 注入。

<?php 
// make the connection to the database using PDO
try {
    $db = new PDO('mysql:host=127.0.0.1;dbname=the_awsome_db', 'yourusername', 'password');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    $db->exec("SET CHARACTER SET utf8");

} catch(PDOException $e) {
    exit('Sorry there is a problem with the database connection :' . $e->getMessage());
}

// sanitize user input - expecting an int
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);

if (is_numeric($id)) {
    // now lets query the database with the param id from the user

    // prepare the query, using a placeholder
    $stmt = $db->prepare('SELECT body, 
                                 some_other_column 
                          FROM news 
                          WHERE id = :placeholder_id');

    // bind the placeholder with the value from the user
    $stmt->bindParam(':placeholder_id', $id);

    // execute the prepared query
    $stmt->execute();

    // fetch the result
    $result = $stmt->fetch(PDO::FETCH_ASSOC);

    // result not empty - display
    if (!empty($result)) {
        // display your result, use print_r($result) to view the whole result set if unsure
        echo $result['body'];
    } else {
        // no matching id found in the db, do something
        echo 'No results found';
    }
} else {
    // do something as user input is not a number
    exit(header('Location: ./index.php'));
}
?>

希望它有所帮助,如果您不确定从用户那里获取参数,您可能需要查找更多教程并首先掌握它,然后再涉足数据库和所有这些好东西。

于 2013-09-06T23:29:27.610 回答