duan198811 2015-07-10 04:16
浏览 53
已采纳

我如何将mysql脚本转换为mysqli或pdo? [重复]

This question already has an answer here:

Anybody pls Convert My below php + mysql search script to php + mysqli or php + Pdo Statement... I don't Know How to do this... Pls help Me... Tnx In Advance...

my form script is

<html>
<head>
<title>search engine</title>
</head>
<body>
<form action = 'ss.php' method ='GET'>
<input type = "text"  name = "q">
<input type = "submit" name = "submit" value = "search"
</body>
</html>

And My Search Engine Script is 

<?php 
$k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;

    if ($i == 1 )
        $subi.= " title LIKE '%$each%' ";
    else
        $subi.= " AND title LIKE '%$each%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysql_query("$query");

$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
?>

Diplaying Results

<?php
if ($result>0)
{
    while ($row = mysql_fetch_array($qry)){
$title=$row['title']; 
$href=$row['href'];
$img=$row['img'];
echo "<div class=\"col-sm-4\"><div class=\"product-image-wrapper\"><div class=\"single-products\"><div class=\"productinfo text-center\"><img src=\"$img\" alt=\"$title\"><h5>$title</h5><a href=\"$href\" target=_blank </a></div></div></div></div>
";
}  
}
else
{
    echo "Sorry No Items Found For " .$k;
}   
?>

</div>
  • 写回答

1条回答 默认 最新

  • doupeng2253 2015-07-10 04:25
    关注

    First of all avoid using mysql_* these functions are deprecated,
    Your code is vulnrable to SQL Injection, Let say I am a user and if I put %';# in input then your query will return me all result regardless of what conditions you have applied to filter out results,

    To avoid SQL Injection you should either sanitize all user inputs using mysqli_real_escape_string before putting it in your query or use PDO Prepared Statements

    UPDATE

    $k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;
    $escapedSearchString = mysql_real_escape_string($each);
    if ($i == 1 )
        $subi.= " title LIKE '%$escapedSearchString%' ";
    else
        $subi.= " AND title LIKE '%$escapedSearchString%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysql_query("$query");

$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;

    Using mysqli_*

    $k = $_GET["q"];
$con = mysqli_connect("localhost", "root", "");
mysqli_select_db($con,"x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;
    $escapedSearchString = mysqli_real_escape_string($con,$each);
    if ($i == 1 )
        $subi.= " title LIKE '%$escapedSearchString%' ";
    else
        $subi.= " AND title LIKE '%$escapedSearchString%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysqli_query($con,"$query");

$row_object = mysqli_query($con,"Select Found_Rows() as rowcount");
$row_object = mysqli_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?