1. 首頁
  2. 問答
  3. 如何將下面的mysql腳本轉換爲mysqli或pdo?

如何將下面的mysql腳本轉換爲mysqli或pdo?

2015-07-10 136 views
-1

有人請轉換我的下面的php + mysql搜索腳本爲php + mysqli或php + Pdo聲明...我不知道如何做到這一點...請幫助我... Tnx提前...如何將下面的mysql腳本轉換爲mysqli或pdo?

我的形式腳本

<html> 
<head> 
<title>search engine</title> 
</head> 
<body> 
<form action = 'ss.php' method ='GET'> 
<input type = "text" name = "q"> 
<input type = "submit" name = "submit" value = "search" 
</body> 
</html>

而且我的搜索引擎腳本是

<?php 
$k = $_GET["q"]; 
$con = mysql_connect("localhost", "root", ""); 
mysql_select_db("x"); 
$terms=explode(" ",$k); 
$i=0; 
$set_limit = ("9"); 
$subi = ""; 
foreach ($terms as $each) 

{ 
    $i++; 

    if ($i == 1) 
     $subi.= " title LIKE '%$each%' "; 
    else 
     $subi.= " AND title LIKE '%$each%' "; 

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit"; 

$qry = mysql_query("$query"); 

$row_object = mysql_query("Select Found_Rows() as rowcount"); 
$row_object = mysql_fetch_object($row_object); 
$actual_row_count = $row_object->rowcount; 
$result = $actual_row_count; 
?>

Diplaying結果

<?php 
if ($result>0) 
{ 
    while ($row = mysql_fetch_array($qry)){ 
$title=$row['title']; 
$href=$row['href']; 
$img=$row['img']; 
echo "<div class=\"col-sm-4\"><div class=\"product-image-wrapper\"><div class=\"single-products\"><div class=\"productinfo text-center\"><img src=\"$img\" alt=\"$title\"><h5>$title</h5><a href=\"$href\" target=_blank </a></div></div></div></div>\n"; 
} 
} 
else 
{ 
    echo "Sorry No Items Found For " .$k; 
} 
?>

來源

2015-07-10 Subi

+0

你做了任何研究,甚至一個簡單的谷歌搜索?,你會發現很多關於這一主題的文章:)嘗試「防止MySQL的PHP​​注入」 –

回答

-2

首先避免使用mysql_*這些函數已被棄用,
你的代碼對於SQL注入是易受攻擊的,假設我是用戶,並且如果我在輸入%';#中輸入,那麼無論你有什麼條件,你的查詢都會返回所有結果適用於過濾結果,

爲了避免將它放在你的查詢之前,SQL注入您應該使用消毒所有mysqli_real_escape_string用戶輸入或使用PDO Prepared Statements

UPDATE

$k = $_GET["q"]; 
$con = mysql_connect("localhost", "root", ""); 
mysql_select_db("x"); 
$terms=explode(" ",$k); 
$i=0; 
$set_limit = ("9"); 
$subi = ""; 
foreach ($terms as $each) 

{ 
    $i++; 
    $escapedSearchString = mysql_real_escape_string($each); 
    if ($i == 1) 
     $subi.= " title LIKE '%$escapedSearchString%' "; 
    else 
     $subi.= " AND title LIKE '%$escapedSearchString%' "; 

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit"; 

$qry = mysql_query("$query"); 

$row_object = mysql_query("Select Found_Rows() as rowcount"); 
$row_object = mysql_fetch_object($row_object); 
$actual_row_count = $row_object->rowcount; 
$result = $actual_row_count;

使用mysqli_ *

$k = $_GET["q"]; 
$con = mysqli_connect("localhost", "root", ""); 
mysqli_select_db($con,"x"); 
$terms=explode(" ",$k); 
$i=0; 
$set_limit = ("9"); 
$subi = ""; 
foreach ($terms as $each) 

{ 
    $i++; 
    $escapedSearchString = mysqli_real_escape_string($con,$each); 
    if ($i == 1) 
     $subi.= " title LIKE '%$escapedSearchString%' "; 
    else 
     $subi.= " AND title LIKE '%$escapedSearchString%' "; 

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit"; 

$qry = mysqli_query($con,"$query"); 

$row_object = mysqli_query($con,"Select Found_Rows() as rowcount"); 
$row_object = mysqli_fetch_object($row_object); 
$actual_row_count = $row_object->rowcount; 
$result = $actual_row_count;

來源

2015-07-10 04:25:27 Raja

+0

現在我的代碼是真正安全的..? ohh myy godd ... tnk u Sir ... – Subi

+1

@Subi,至少從SQL注入來看,如果您清理所有用戶輸入,SQL注入不再是威脅。更好的方法是使用'PDO預備聲明' – Raja

+0

先生我是一名機械工程師...所以我不擁有更多的編程語言...這就是我問非常愚蠢的問題...先生先生... ...反正tnk u sooo多先生... – Subi

相關問題

 相關問題