个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
31
4
我有两个问题:
有没有更简洁的方法让我执行这个准备好的语句?似乎这里发生了很多事情。
您能否解决代码中“我如何清理它”的部分?我想确保它的安全。
顺便说一句,这一切似乎工作得很好。只是想稍微修复一下。
<?php
session_start();
require_once './config/config.php';
require_once 'includes/auth_validate.php';
include_once 'includes/header.php';
error_reporting (E_ALL ^ E_NOTICE);
//ONLY SUPER AND ADMINS ARE ALLOWED TO ACCESS THIS PAGE
if ($_SESSION['admin_type'] !=='admin' && $_SESSION['admin_type'] !=='super') {
$_SESSION['admin_type'] = "undefined";
echo 'Permission Denied';
exit();
}
// How can I sanatize this
$customer_id = filter_input(INPUT_GET, 'customer_id', FILTER_VALIDATE_INT);
$operation = filter_input(INPUT_GET, 'operation',FILTER_SANITIZE_STRING);
($operation == 'edit') ? $edit = true : $edit = false;
$db = getDbInstance();
$cid = htmlentities ($_GET['customer_id']);
$sql = "SELECT
(SELECT treatment_log.bdi FROM treatment_log LEFT JOIN customers ON treatment_log.treatment_fk=customers.id WHERE treatment_log.created_at=(SELECT MIN(created_at) FROM treatment_log WHERE treatment_fk = ?) AND customers.id = ?) AS first_bdi,
(SELECT treatment_log.pain FROM treatment_log LEFT JOIN customers ON treatment_log.treatment_fk=customers.id WHERE treatment_log.created_at=(SELECT MIN(created_at) FROM treatment_log WHERE treatment_fk = ?) AND customers.id = ?) AS first_pain,
(SELECT treatment_log.suicidality FROM treatment_log LEFT JOIN customers ON treatment_log.treatment_fk=customers.id WHERE treatment_log.created_at=(SELECT MIN(created_at) FROM treatment_log WHERE treatment_fk = ?) AND customers.id = ?) AS first_suicidality,
(SELECT treatment_log.bdi FROM treatment_log LEFT JOIN customers ON treatment_log.treatment_fk=customers.id WHERE treatment_log.created_at=(SELECT MAX(created_at) FROM treatment_log WHERE treatment_fk = ?) AND customers.id = ?) AS last_bdi,
(SELECT treatment_log.pain FROM treatment_log LEFT JOIN customers ON treatment_log.treatment_fk=customers.id WHERE treatment_log.created_at=(SELECT MAX(created_at) FROM treatment_log WHERE treatment_fk = ?) AND customers.id = ?) AS last_pain,
(SELECT treatment_log.suicidality FROM treatment_log LEFT JOIN customers ON treatment_log.treatment_fk=customers.id WHERE treatment_log.created_at=(SELECT MAX(created_at) FROM treatment_log WHERE treatment_fk = ?) AND customers.id = ?) AS last_suicidality,
(SELECT CAST(treatment_log.created_at as DATE) FROM treatment_log LEFT JOIN customers ON treatment_log.treatment_fk = customers.id WHERE treatment_log.created_at = (SELECT MAX(created_at) FROM treatment_log WHERE treatment_fk = ?)AND customers.id = ?) AS last_visit,
(SELECT COUNT(*) FROM treatment_log WHERE treatment_fk = ?) AS completed_treatments,
(SELECT COUNT(*) FROM treatment_log WHERE treatment_fk = ? AND missed_treatment='yes') AS number_of_missed_treatments,
(SELECT COUNT(*) FROM bdi WHERE bdi_fk = ?) AS completed_bdis,
(SELECT customers.f_name FROM customers WHERE customers.id = ?) AS f_name,
(SELECT customers.l_name FROM customers WHERE customers.id = ?) AS l_name,
(SELECT customers.status FROM customers WHERE customers.id = ?) AS status,
(SELECT customers.mrn FROM customers WHERE customers.id = ?) AS mrn,
(SELECT customers.ohip FROM customers WHERE customers.id = ?) AS ohip,
(SELECT customers.sex FROM customers WHERE customers.id = ?) AS sex,
(SELECT customers.address FROM customers WHERE customers.id = ?) AS address,
(SELECT customers.city FROM customers WHERE customers.id = ?) AS city,
(SELECT customers.postal_code FROM customers WHERE customers.id = ?) AS country,
(SELECT customers.phone FROM customers WHERE customers.id = ?) AS phone,
(SELECT customers.about FROM customers WHERE customers.id = ?) AS about,
(SELECT customers.date_of_birth FROM customers WHERE customers.id = ?) AS date_of_birth,
(SELECT customers.protocol FROM customers WHERE customers.id = ?) AS protocol,
(SELECT customers.treatment_location FROM customers WHERE customers.id = ?) AS treatment_location,
(SELECT customers.area FROM customers WHERE customers.id = ?) AS area,
(SELECT customers.dx FROM customers WHERE customers.id = ?) AS dx,
(SELECT customers.room FROM customers WHERE customers.id = ?) AS room,
(SELECT customers.coil FROM customers WHERE customers.id = ?) AS coil,
(SELECT customers.target_threshold FROM customers WHERE customers.id = ?) AS target_thresold,
(SELECT customers.number_of_treatments FROM customers WHERE customers.id = ?) AS number_of_treatments,
(SELECT customers.motor_threshold FROM customers WHERE customers.id = ?) AS motor_threshold,
(SELECT customers.threshold_multiplier FROM customers WHERE customers.id = ?) AS threshold_multiplier,
(SELECT customers.created_at FROM customers WHERE customers.id = ?) AS created_at,
(SELECT customers.updated_at FROM customers WHERE customers.id = ?) AS updated_at;";
$stmt = mysqli_stmt_init($conn);
mysqli_stmt_prepare($stmt, $sql);
mysqli_stmt_bind_param($stmt, "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii", $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid, $cid);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
?>最佳答案
如评论所述,htmlentities() 与防止 SQL 注入(inject)无关。当你想输出一些内容到 HTML,并且你想避免 XSS 漏洞时使用它。
我不会将所有这些查询都写成单独的子查询。您不太可能需要通过单个 SQL 语句获取所有信息。试图将如此多的工作塞进单个 SQL 调用并不能显着提高效率,但它确实使您编写代码变得更加困难。
记住这个智慧:
Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it?
下面是我将如何编写代码:
如果您使用参数化查询,则完全没有必要进行清理。但如果您愿意,这里有一种更简单的方法:
$customer_id = (int) $_GET['customer_id'];
是的!只需转换为 (int)。编写此代码很简单,在代码审查中也很容易解释,而且执行速度比函数调用快。
然后将 SQL 分成几个查询,以合理的方式将它们分组,这样您就不需要子查询或列别名。更简单的查询更容易编写代码、更容易调试、更容易修改(如果您以后需要这样做)(或者如果其他开发人员需要修改它,他们会感谢您编写更易于处理的代码)。
获得首次访问的一个简单方法是按 created_at 排序并使用 LIMIT 1。
$sql = "SELECT bdi, pain, suicidality FROM treatment_log WHERE treatment_fk = ?
ORDER BY created_at LIMIT 1";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $customer_id);
$stmt->execute();
$rows1 = $stmt->fetch_all(MYSQLI_ASSOC);
获取上次访问 - 按 created_at 降序 排序并使用 LIMIT 1。
$sql = "SELECT bdi, pain, suicidality, DATE(created_at) AS last_visit
FROM treatment_log WHERE treatment_fk = ?
ORDER BY created_at DESC LIMIT 1";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $customer_id);
$stmt->execute();
$rows2 = $stmt->fetch_all(MYSQLI_ASSOC);
这是一个技巧:在 MySQL 中,true 为 1,false 为 0,因此您可以SUM() 1 作为计算某些表达式为 true 的行数的方法。
$sql = "SELECT COUNT(*) AS completed_treatments,
SUM(missed_treatments='yes') AS number_of_missed_treatments
FROM treatment_log WHERE treatment_fk = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $customer_id);
$stmt->execute();
$rows3 = $stmt->fetch_all(MYSQLI_ASSOC);
其他查询非常简单。
$sql = "SELECT COUNT(*) AS completed_bdis FROM bdi WHERE bdi_fk = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $customer_id);
$stmt->execute();
$rows4 = $stmt->fetch_all(MYSQLI_ASSOC);
$sql = "SELECT f_name, l_name, status, mrn, ohip, sex, address, city, country,
phone, about, date_of_birth, protocol, treatment_location, area, dx, room,
coil, target_threshold, number_of_treatments, motor_threshold,
threshold_multiplier, created_at, updated_at
FROM customers WHERE id = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $customer_id);
$stmt->execute();
$rows5 = $stmt->fetch_all(MYSQLI_ASSOC);
在所有这些查询中,我们只需要为每个查询绑定(bind)一次$customer_id,这使得编写这段代码变得更加容易。无需让自己眼睛疲劳地计算长“iiii...”字符串的长度并将其与参数数量相匹配。
P.S.:我没有测试这段代码,所以如果有错别字,我相信你能解决。
关于php - 修复准备好的声明,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54174501/
31
4
0
我想获取当前位置并将相机移动到当前位置,然后将当前位置 (LatLng) 保存到我的数据库 我获得了 ACCESS_FINE 权限并使用以下代码,但应用程序已停止工作 double lat = map
我想稍微优化一下这部分代码,以使用 $_SESSION['user']= $arr; 这样的数组。 // Store user db info in session for use $stmt = $
就目前而言,这个问题不适合我们的问答形式。我们希望答案得到事实、引用资料或专业知识的支持,但这个问题可能会引发辩论、争论、投票或扩展讨论。如果您觉得这个问题可以改进并可能重新打开,visit the
我不确定 DaemonSet 中是否存在就绪条件。我的意思是,该 DaemonSet 拥有的所有 pod 都已准备就绪。 我知道 kubectl wait ,不过好像不能检查 DaemonSet 的准
我正在编写一个 JS 模块模式来测试代码并帮助我使用 JS Fiddle 理解该模式。我不明白的是,为什么第 25 行和第 26 行的“私有(private)方法”在通过 DOM 就绪引用时,其值为未
标题中有一个非常微妙的动画。当第一次加载页面,或者使用 cmd+shift+r (mac) 刷新以清除缓存时,jQuery 似乎并没有等待 DOM 准备好。它在所有正常的 html/css 弹出之前启
很难说出这里要问什么。这个问题模棱两可、含糊不清、不完整、过于宽泛或夸夸其谈,无法以目前的形式得到合理的回答。如需帮助澄清此问题以便重新打开,visit the help center . 关闭 1
很难说出这里要问什么。这个问题模棱两可、含糊不清、不完整、过于宽泛或夸夸其谈,无法以目前的形式得到合理的回答。如需帮助澄清此问题以便重新打开,visit the help center . 关闭 1
我有两个问题: 我如何知道框架的内容已准备就绪/已加载(如 $(document.ready()))? 我如何知道弹出窗口 (window.open()) 内容已准备就绪/已加载(如 $(docume
只是想知道 document.ready 调用的数量是否会影响页面加载速度。Gulp/Grunt 有没有办法通过删除单独的文档就绪函数来丑化/缩小 JS? 最佳答案 检查一下! 我没有发现 Chrom
我有一个 的列表如下所示,它使用 Meteor.startup 填充了 find()。然后我得到这些 的所有数据属性使用 data() 并将其放入一个对象中并尝试返回/console.log 它以
我正在使用 trego 主题。作为主题选项,您可以设置和更改将出现在站点中的文本(例如“版权文本”和“ Logo url”的文本)。我如何使用 WPML 制作多语言版本?我想通过 wpml-confi
Zend_Service_Twitter 组件仍然适用于将于 2013 年 3 月 5 日弃用的 Twitters API v1.0。所以我想准备好我的新网站与 Twitter API 交互 v1.1
有没有一种优雅的方法来做到这一点?目前我只是使用自定义步骤 “并等待 10 秒”以绝对确定,有足够的时间让 iframe 做好准备。我不希望这个功能因为一个小的网络问题或 CPU 峰值而在我动力不足的
当我尝试在我的 VPS 上安装 Windows 时,我无法访问 Glish---图形网站控制台(但浏览器控制台可以工作)。 当我打开 Glish 控制台时,提示: novnc ready: nativ
生成新的全屏窗口时,相对于: sdl2.SDL_Init(sdl2.SDL_INIT_VIDEO) window = sdl2.ext.Window('win_name', (x_size, y_si
我刚刚为我的最新项目投入了 Umbraco ASP.NET CMS,我不确定这是否是全面的,但对于我的设置,Knockout.js 正在做所有的模板。 我不太热衷于 knockout.js,但到目前为
我是 jQuery 的新手,最近几天一直在尝试学习它。在我的办公室里,几乎没有经验丰富的 JavaScript 开发人员,他们主要使用 jQuery 来满足他们的所有需求,每当我找到他们并与他们交谈以
我目前正在编写一个脚本,我正在使用 while($IE.busy) {Start-Sleep 1} 等待页面准备就绪。 页面准备好后,我的脚本会填写并提交表单。我一直遇到问题,因为(我认为)IE 报告
这个问题已经有答案了: window.onload vs $(document).ready() (17 个回答) 已关闭 3 年前。 以下示例代码的执行顺序是什么?会$(window).on('lo
我是一名优秀的程序员,十分优秀!