duan198811 2015-07-10 04:16
浏览 53
已采纳

我如何将mysql脚本转换为mysqli或pdo? [重复]

This question already has an answer here:

Anybody pls Convert My below php + mysql search script to php + mysqli or php + Pdo Statement... I don't Know How to do this... Pls help Me... Tnx In Advance...

my form script is

<html>
<head>
<title>search engine</title>
</head>
<body>
<form action = 'ss.php' method ='GET'>
<input type = "text"  name = "q">
<input type = "submit" name = "submit" value = "search"
</body>
</html>

And My Search Engine Script is 

<?php 
$k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;

    if ($i == 1 )
        $subi.= " title LIKE '%$each%' ";
    else
        $subi.= " AND title LIKE '%$each%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysql_query("$query");

$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
?>

Diplaying Results

<?php
if ($result>0)
{
    while ($row = mysql_fetch_array($qry)){
$title=$row['title']; 
$href=$row['href'];
$img=$row['img'];
echo "<div class=\"col-sm-4\"><div class=\"product-image-wrapper\"><div class=\"single-products\"><div class=\"productinfo text-center\"><img src=\"$img\" alt=\"$title\"><h5>$title</h5><a href=\"$href\" target=_blank </a></div></div></div></div>
";
}  
}
else
{
    echo "Sorry No Items Found For " .$k;
}   
?>

</div>
  • 写回答

1条回答 默认 最新

  • doupeng2253 2015-07-10 04:25
    关注

    First of all avoid using mysql_* these functions are deprecated,
    Your code is vulnrable to SQL Injection, Let say I am a user and if I put %';# in input then your query will return me all result regardless of what conditions you have applied to filter out results,

    To avoid SQL Injection you should either sanitize all user inputs using mysqli_real_escape_string before putting it in your query or use PDO Prepared Statements

    UPDATE

    $k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;
    $escapedSearchString = mysql_real_escape_string($each);
    if ($i == 1 )
        $subi.= " title LIKE '%$escapedSearchString%' ";
    else
        $subi.= " AND title LIKE '%$escapedSearchString%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysql_query("$query");

$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;

    Using mysqli_*

    $k = $_GET["q"];
$con = mysqli_connect("localhost", "root", "");
mysqli_select_db($con,"x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;
    $escapedSearchString = mysqli_real_escape_string($con,$each);
    if ($i == 1 )
        $subi.= " title LIKE '%$escapedSearchString%' ";
    else
        $subi.= " AND title LIKE '%$escapedSearchString%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysqli_query($con,"$query");

$row_object = mysqli_query($con,"Select Found_Rows() as rowcount");
$row_object = mysqli_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 数学建模,尽量用matlab回答,论文格式
  • ¥15 昨天挂载了一下u盘,然后拔了
  • ¥30 win from 窗口最大最小化,控件放大缩小,闪烁问题
  • ¥20 易康econgnition精度验证
  • ¥15 msix packaging tool打包问题
  • ¥28 微信小程序开发页面布局没问题,真机调试的时候页面布局就乱了
  • ¥15 python的qt5界面
  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能