ai didi

PHP Mysql select 只显示一行

转载 作者:行者123 更新时间:2023-11-29 06:25:11 24 4
gpt4 key购买 nike

我目前正在尝试制作电视剧的一页。不知何故,页面只显示一行 seasons,在我的数据库中是 5。

$sql = "SELECT * FROM `shows` WHERE url='".dburl($_GET["url"])."'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {

// General info about the TV show here

$sql = "SELECT * FROM seasons WHERE `show`='".$row["id"]."' ORDER BY number ASC";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
while($seasons = $result->fetch_assoc()) {

// The seasons

$sql= "SELECT * FROM episodes WHERE `show`='".$row["id"]."' AND `season`='".$seasons["number"]."' ORDER BY number DESC";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
while($episodes = $result->fetch_assoc()) {

// The episodes, sorted by season

}
}

}
}

}
}

有没有什么变化是我忽略了什么? episodes 部分工作得很好,它显示了一个季节中的所有剧集。

最佳答案

我建议你在一个 mysql 查询中获取所有数据,使用适当的变量转义,这样代码会比你得到的代码更简单、更易读。那么也许您会犯更少的错误,但编码会更好:

$mysqli = new mysqli("localhost", "my_user", "my_password", "my_db");

/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}

$sql = "SELECT * FROM `shows` sh
JOIN `seasons` se.show ON sh.id
JOIN `episodes` e ON e.show = se.id AND e.season = e.number
WHERE url=?
ORDER BY se.number, e.number";

/* Prepare statement */
$stmt = $conn->prepare($sql);
if($stmt === false) {
trigger_error('Wrong SQL: ' . $sql . ' Error: ' . $conn->errno . ' ' .$conn->error, E_USER_ERROR);
}

/* Bind parameters. Types: s = string, i = integer, d = double, b = blob */
$stmt->bind_param('s', dburl($_GET["url"]));

/* Execute statement */
$stmt->execute();

/* Fetch result to array */
$res = $stmt->get_result();
while($row = $res->fetch_array(MYSQLI_ASSOC)) {
array_push($a_data, $row);
}

/* close statement */
$stmt->close();
}

/* close connection */
$mysqli->close();

理由或解释:

Never concatenate or interpolate data in SQL

Never build up a string of SQL that includes user data, either by concatenation:

$sql = "SELECT * FROM users WHERE username = '" . $username . "';";

or interpolation, which is essentially the same:

$sql = "SELECT * FROM users WHERE username = '$username';";

If '$username' has come from an untrusted source (and you must assume it has, since you cannot easily see that in source code), it could contain characters such as ' that will allow an attacker to execute very different queries than the one intended, including deleting your entire database etc. Using prepared statements and bound parameters is a much better solution. PHP's mysqli and PDO functionality includes this feature (see below).

来自 OWASP:PHP Security Sheet

关于PHP Mysql select 只显示一行,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31488009/

24 4 0
文章推荐: php - 查询将列值设置为 0,而它应该是 10
文章推荐: 用于多列的 Java MySQL DISTINCT
文章推荐: mysql - 获取用户未对 SQL 查询投票的所有配置文件
文章推荐: mysql - 重置 MySql 数据库中的数据
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com