1

我有一个庞大的数据库,其中包含有关测试代码的学生信息以及这些测试代码所获得的分数。我需要为每个测试代码对应的学生重新计算百分位数。我有一系列测试代码的代码,但它不能正常工作。

function recompute_percentiles()
{
if($_REQUEST[testcode]=="CAT B1" or $_REQUEST[testcode]=="CAT B2" or $_REQUEST[testcode]=="CAT B3" or $_REQUEST[testcode]=="CAT B4")
{

echo "<br />Got testcode: ".$_REQUEST[testcode];


$getsortedq=mysql_query("SELECT username, section1right as m from kmarks where testcode='.$_REQUEST[testcode].' order by section1right DESC");

if(!$getsortedq) 
echo "Could not get the sorted query";
else 
echo "got the sorted query quick";



$totalcount=mysql_num_rows($getsortedq);

while($r=mysql_fetch_array($getsortedq))
{
$u=$r[username];
$m=$r[m];
$array[$u]=$m;
}



$array2=$array;
//print_r($array2);

$updated=0;

foreach($array as $key=>$value)
{
$countsame=0;
foreach($array2 as $k=>$v)
{
    if($v>=$value) 
    $countsame++; 
    else
    break;
}
$countless = $totalcount - $countsame;

reset($array2);

$percentile=round($countless/$totalcount*100,2);

$updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where   username='.$key.' and testcode='.$_REQUEST[testcode].'");

if(!$updatep1q)
  echo "<br />Could not update p1 for username: ".$key;
else
    $updated++;


}

echo "<br />Updated ".$updated." records in kmarks db, out of ".$totalcount." records for  testcode ".$_REQUEST[testcode];




}
}
4

2 回答 2

2

此代码存在多个严重问题 - 甚至没有触及功能......

1 PHP 语法

$_REQUEST[testcode]

不好,总是用牙套!

$_REQUEST['testcode']

2 注射倾向

您对SQL 注入HTML/Javascript注入非常开放

echo "<br />Got testcode: ".$_REQUEST[testcode]; //HTML injection...
//SQL injection
$getsortedq=mysql_query("SELECT username, section1right as m from kmarks where testcode='.$_REQUEST[testcode].' order by section1right DESC");

始终使用适当的清理(mysql(i)_real_escape_string($_REQUEST['testcode'])取决于正在使用的 mysql_ 或 mysqli)。甚至更好:在 SQL 案例中准备好的语句......

3 弃用

强制性 mysql_* 警告:mysql_函数自 PHP 5.5 起已弃用。不要使用它们:使用 PDO 或至少mysqli_函数...

功能性

这是罪魁祸首:

$updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where   username='.$key.' and testcode='.$_REQUEST[testcode].'");

结果查询将显示:

UPDATE kmarks set percentile1=<somevalue>  --this is OK
where username='.<somevalue>.' and testcode='.$_REQUEST[testcode].'
                ^           ^                ^^^^^^^^^^^^^^^^^^^^^

问题被突出显示......有不需要的点,还有一个完整的坏部分。我想你想要这样的东西

UPDATE kmarks set percentile1=<somevalue>  
where username='<somevalue>' and testcode='<somevalue>'

像这样使用它(当然要进行消毒!!!):

//WARNING! STILL HAS SQL INJECTION --apply sanitization from #2 to make it safer...
$updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where username='".$key."' and testcode='".$_REQUEST[testcode]."'");

数组不能在字符串文字中使用,并且.在普通变量的情况下不需要连接运算符......

于 2013-09-30T12:43:01.393 回答
0

似乎有很多代码。你可以这样做:

$results = $db->query("SELECT * FROM your_table ORDER BY sort_field");

$data = array();
while($row = $results->fetch_assoc()){
    $data[] = $row;
}

$chunks = array_chunk($data,ceil((count($data)/100)));
foreach($chunks as $key => $dataset){ 
$percentile = 99 - $key;

    foreach($dataset as $row){
        $db->query("UPDATE your_table SET percentile={$percentile} WHERE id={$row['id']}");
    }
}
于 2018-01-01T16:37:55.027 回答