用于PDO的AJAX升级（$ qry_result）

I learned the basics of PDO queries just recently, and now I'm tackling AJAX. I have a working AJAX script from a tutorial, but it's written with "old-fashioned" DB queries, rather than PDO.

I've been trying to modify it, but it isn't working yet. I think I've fixed everything for this line, which I don't understand:

$qry_result = mysql_query($query) or die(mysql_error());

How do I modify that line?

This was the original query:

$query = "SELECT * FROM people_bios WHERE Gender = '$Gender'";

I pasted the entire script below - not the original, but my upgrade.

$dsn = "mysql:host=localhost;dbname=db_new;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);

$pdo = new PDO($dsn,'UserMe','aBCs804hG24LME', $opt);

// Retrieve data from Query String
$age = $_GET['age'];
$Gender = $_GET['Gender'];
$wpm = $_GET['wpm'];
// Escape User Input to help prevent SQL Injection
// NOTE: Since I've converted this to PDO, I assume I can delete the next three lines:
// $age = mysql_real_escape_string($age);
// $Gender = mysql_real_escape_string($Gender);
// $wpm = mysql_real_escape_string($wpm);

$sql= "SELECT * FROM people_bios WHERE Gender = '$Gender'";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':Gender',$Gender,PDO::PARAM_STR);
$stmt->execute();
$Total = $stmt->fetch();

if(is_numeric($age))
$query .= " AND age <= $age";
if(is_numeric($wpm))
$query .= " AND wpm <= $wpm";

$qry_result = mysql_query($query) or die(mysql_error());

//Build Result String
$display_string = "<table>";
$display_string .= "<tr>";
$display_string .= "<th>Name</th>";
$display_string .= "<th>Age</th>";
$display_string .= "<th>Gender</th>";
$display_string .= "<th>WPM</th>";
$display_string .= "</tr>";

// Insert a new row in the table for each person returned
while ($row = $stm->fetch())
{
$display_string .= "<tr>";
$display_string .= "<td>$row[Common]</td>";
$display_string .= "<td>$row[age]</td>";
$display_string .= "<td>$row[Gender]</td>";
$display_string .= "<td>$row[wpm]</td>";
$display_string .= "</tr>";

}
echo "Query: " . $query . "<br />";
$display_string .= "</table>";
echo $display_string;

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
donglian1523 2014-01-19 17:25
关注
First off, this is the wrong way to use prepared queries:

$sql= "SELECT * FROM people_bios WHERE Gender = '$Gender'"; $stmt = $pdo->prepare($sql); $stmt->bindParam(':Gender',$Gender,PDO::PARAM_STR); $stmt->execute(); $Total = $stmt->fetch();

In the query line, you're still concatenating in the value, and are still wide open to SQL injection attacks. Change your query to this:

$sql= 'SELECT * FROM people_bios WHERE Gender = :Gender';

That way when you bind the parameter, there is something to actually bind it to.

Now, back to your original question on what this line does:

mysql_query($query) or die(mysql_error());

The result of mysql_query() will be false (or falsy? I don't remember) if there is an error in running your query. That's where the or die(mysql_error()) comes in. This half of the line won't execute if the result of mysql_query() is true. So in the event of an error, die() (halt everything) and display the string returned from mysql_error(), which is the last error the MySQL client ran into.

PDO makes things a bit more helpful. You have already enabled exceptions for PDO, so you can use a try/catch block:

try { $stmt->execute(); } catch (Exception $e) { print_r($e); // Do something more useful here, like log. }

Note that you should avoid showing the database errors as is. At best, they provide some insight into your database backend and at worse important data like credentials could be revealed. Handle the error and show the user a more generic message. Log the full exception though!
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

未定义的属性：PDO :: $ affected_rows mysql php
2016-04-07 11:08

回答 1 已采纳 A PDO object has no affected_rows property. Instead you can call rowCount() on the PDOStatement:
sql pdo选择菜单值$ _POST php sql
2017-04-23 16:50

回答 1 已采纳 You can add check for that : $sql = "SELECT DISTINCT * FROM Library"; if( (isset($_POST['titel']
使用PDO将textarea $ _POST导入MySQL mysql php
2015-02-28 02:56

回答 2 已采纳 You're using desc for your column, being a MySQL reserved word without escaping it with ticks. Ei
php_pdo_sqlsrv_54_ts.dll
2014-07-22 10:57

pdo_sqlsrv扩展，用于php5.4以上版本连接sql server。
如何在PDO中使用$ _GET计算空行 mysql php
2015-03-04 03:11

回答 1 已采纳 What are you doing here?? WHERE id=:$idClick What you want to do is set a bind param and then e
什么是PDO上的bind_result mysql php
2013-09-09 20:47

回答 4 已采纳 You do not need an ugly bind_result with PDO at all. Yet you don't need to count either. Please,
PHP PDO破坏了我的$ _POST值？ mysql php
2014-05-29 21:21

回答 1 已采纳 why i use string values for $isbreak. It gets put into the sql statement as a string anyway so
PHP7.3的sql server PDO_DBLIB库
2022-07-15 08:47

- 如果性能是关键，可以考虑升级到更高级的SQL Server驱动，如PDO_SQLSRV，或者优化查询和数据库设计。 - 使用错误处理和日志记录机制来追踪和调试可能出现的问题。通过以上介绍，我们可以看到PHP7.3的PDO_DBLIB...
验证PDO预处理语句中的password_hash（） mysql php
2015-03-13 14:28

回答 1 已采纳 Since you didn't put ->fetch in a loop, the single invocation will return a single row of assoc
将$ _POST数据传递给PDO函数 php
2013-08-11 18:41

回答 1 已采纳 You should check $_POST even before executing your code, this prevents to handle empty inputs, the
存在数据库条目，但search_result返回false php
2018-01-29 11:04

回答 2 已采纳 Change your query statements like this: $sql1 = "SELECT * FROM cookies2 WHERE cookie LIKE :searc
微擎框架之$_W&全局变量
2019-12-06 12:25

dendysan的博客 $_W（大写W）,是系统中最为重要的全局变量，微擎系统中很多常用的数据都存储在这个变量之中，下面我们详细讲解一下此变量的结构。 Array ( [config] => Array 配置文件/data/config.php ( [db] => 数据库...
关于PDO的ATTR_EMULATE_PREPARES
2020-09-16 20:31

精神小伙2号的博客 1、ATTR_EMULATE_PREPARES=true(默认) 含义：本地prepare 详细：prepare不发送，execute时发送完整的sql 优点：当代码里频繁prepare，prepare放在本地，减轻mysql服务器压力 ...需慎重！！！ ...2、ATTR_EMULATE_PREPARES...
宝塔安装 pdo_mysql_linux宝塔面板安装安装 pdo_sqlsrv扩展
2021-01-19 02:39

波多野猫叔的博客第一步安装源curl ... /etc/yum.repos.d/mssqlrelease.repo第二步安装驱动yum install msodbcsql mssql-tools unixODBC-devel第三步下载pdo-sqlsrv源码wget http://pecl.php.ne...
pdo mysql fetchall_PDO中获取结果集之fetchAll()方法详解
2021-01-19 15:01

潘相呈的博客 PDO中获取结果集之fetchAll()方法详解fetchAll()方法是获取结果集中的所有行，返回一个包含结果集中所有行的二进制数组！那么在上一篇《PDO中获取结果集之fetch()方法详解》中，我们介绍了fetch()方法获取结果集，...
PHP封装的PDO数据库操作类实例
2020-10-19 16:09

在PHP中，PDO（PHP Data Objects）提供了一种数据库访问的统一接口，可以用于多种数据库系统。封装PDO数据库操作类可以方便地进行数据库的增删改查、事务处理以及批量操作。下面将详细介绍如何在PHP中封装一个基于...
为YUM安装的php添加扩展库，pdo_firebird、pdo_pgsql和pgsql
2021-12-24 14:21

勿忘VS初心的博客在测试项目中，使用了YUM进行部署nginx+php，现在需要为php添加pdo_firebird、pdo_pgsql和pgsql等扩展，具体步骤如下： [root@localhost ~]# yum install php-pdo_pgsql php-pdo_firebird #安装扩展 [root@localhost...
PHP PDO fetch() 详解
2019-01-27 22:46

weixin_33747129的博客 = 5.1.0, PHP 7, PECL pdo >= 0.1.0) PDOStatement::fetch—从结果集中获取下一行 ...PDOStatement::fetch ([ int $fetch_style [, int $cursor_orientation = PDO::FETCH_ORI_NEXT [, int $cursor_off...
捕获PDO下SQL语句中的错误之 PDO::ERRMODE_WARN|NG、PDO::ERRMODE_ EXCEPTION、PDO::ERRMODE_SILENT
2020-05-10 22:15

优雅哥cc的博客一、使用默认模式——PDO::ERRMODE_SILENT 二、使用警告模式——PDO::ERRMODE_WARN|NG 2.1 解决该网页无法正常运作目前无法处理此请求，HTTP ERROR 500 三、异常模式——PDO::ERRMODE_ EXCEPTION
[PHP]PDO的ATTR_EMULATE_PREPARES属性带来的安全问题
2021-02-27 11:17

Y4tacker的博客 PDO的ATTR_EMULATE_PREPARES属性带来的安全问题这次的思考来源于我昨天对TP5.0.9进行SQL漏洞复现的时候所引发的思考当时在PDO的prepare编译阶段报错直接抛出异常之后，在页面居然发现sql被执行了！！！因为我们...
没有解决我的问题, 去提问

悬赏问题

¥15 DS18B20内部ADC模数转换器
¥15 做个有关计算的小程序
¥15 MPI读取tif文件无法正常给各进程分配路径
¥15 如何用MATLAB实现以下三个公式（有相互嵌套）
¥30 关于#算法#的问题：运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题求各位帮我解答一下
¥15 setInterval 页面闪烁，怎么解决
¥15 如何让企业微信机器人实现消息汇总整合
¥50 关于#ui#的问题：做yolov8的ui界面出现的问题
¥15 如何用Python爬取各高校教师公开的教育和工作经历
¥15 TLE9879QXA40 电机驱动

用于PDO的AJAX升级（$ qry_result）

1条回答 默认 最新

悬赏问题

1条回答默认最新