douguyi3903 2013-07-03 12:32
浏览 44
已采纳

从mysql DB中检索数据不起作用/ PHP

I hvae the following PHP source:

$type_ID =$_GET["typeID"];
try{                               
$article_ID =$_GET["articleID"];
$select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE articleID=$article_ID && typeID=$type_ID");
}
catch(Exception $e)
{ $select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE typeID=$type_ID");
                                   }
$row = mysql_fetch_assoc($select_query); 
echo '<h1>'.$row['articleTitle'].'</h1>';
echo  $row['articleContent'];

I know that this code is no safe, and yo can easlily do sql injection.

There problem here is that it's didn't go into the catch part (after the try)even when it should. The solution may be easy but I can't solve it.

Why it's didn't go into the catch section?

  • 写回答

2条回答 默认 最新

  • dongqiang4986 2013-07-03 12:53
    关注

    You'd have to change your queries to use the or to catch the fail in this case something like this may work though I'm not 100% (can anyone correct me?) You'd be far better off moving away from mysql_ functions though and moving to mysqli or pdo in an OO style then you can better trap and handle the errors.

    $type_ID =$_GET["typeID"];
    try{                               
    $article_ID =$_GET["articleID"];
    $select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE articleID=$article_ID && typeID=$type_ID") or throw new Exception("ERROR HERE");
    }
    catch(Exception $e)
    { 
     $select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE typeID=$type_ID"); // note we can't throw exception here because its already in the try catch. perhaps we should look at something like the finally statement.
    //echo $e->getMessage(); //uncomment this line if you want to output the exception error text set above
    }
    $row = mysql_fetch_assoc($select_query); 
    echo '<h1>'.$row['articleTitle'].'</h1>';
    echo  $row['articleContent'];
    

    Actually just had a thought you'd be much better doing something like this and validating your inputs before hand. (note i'm doing no string escaping here don't forget to do it)

    $type_ID =$_GET["typeID"];
    $article_ID =$_GET["articleID"];
    
    if (strlen($type_ID)>0 && strlen($article_ID)>0 && is_numeric($type_ID) && is_numeric($article_ID)) { 
    $sqlquery = "SELECT articleContent, articleTitle From articles WHERE articleID=$article_ID && typeID=$type_ID";
    } else {
    $sqlquery = "SELECT articleContent, articleTitle From articles WHERE typeID=$type_ID";
    }
    
    try {
        $queryresult = mysql_query($sqlquery) or throw new Exception("Query Failed");
    } catch(Exception $e) { 
        echo $e->getMessage(); 
    }
    

    So basically you're validating and checking your inputs and switching your sql statements before then your try catch logic is purely for did the query succeed or fail which is far more sensible than what you were attempting.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 券商软件上市公司信息获取问题
  • ¥100 ensp启动设备蓝屏,代码clock_watchdog_timeout
  • ¥15 Android studio AVD启动不了
  • ¥15 陆空双模式无人机怎么做
  • ¥15 想咨询点问题,与算法转换,负荷预测,数字孪生有关
  • ¥15 C#中的编译平台的区别影响
  • ¥15 软件供应链安全是跟可靠性有关还是跟安全性有关?
  • ¥15 电脑蓝屏logfilessrtsrttrail问题
  • ¥20 关于wordpress建站遇到的问题!(语言-php)(相关搜索:云服务器)
  • ¥15 【求职】怎么找到一个周围人素质都很高不会欺负他人,并且未来月薪能够达到一万以上(技术岗)的工作?希望可以收到写有具体,可靠,已经实践过了的路径的回答?