您的位置: 首页  >  技术问答  >  如何将下面的mysql脚本转换为mysqli或pdo?

如何将下面的mysql脚本转换为mysqli或pdo?

分类: 技术问答 2022-07-09 14:24:30
问题描述:

有人请转换我的下面的php + mysql搜索脚本为php + mysqli或php + Pdo声明...我不知道如何做到这一点...请帮助我... Tnx提前...如何将下面的mysql脚本转换为mysqli或pdo?

我的形式脚本

<html> 
<head> 
<title>search engine</title> 
</head> 
<body> 
<form action = 'ss.php' method ='GET'> 
<input type = "text" name = "q"> 
<input type = "submit" name = "submit" value = "search" 
</body> 
</html>

而且我的搜索引擎脚本是

<?php 
$k = $_GET["q"]; 
$con = mysql_connect("localhost", "root", ""); 
mysql_select_db("x"); 
$terms=explode(" ",$k); 
$i=0; 
$set_limit = ("9"); 
$subi = ""; 
foreach ($terms as $each) 

{ 
    $i++; 

    if ($i == 1) 
     $subi.= " title LIKE '%$each%' "; 
    else 
     $subi.= " AND title LIKE '%$each%' "; 

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit"; 

$qry = mysql_query("$query"); 

$row_object = mysql_query("Select Found_Rows() as rowcount"); 
$row_object = mysql_fetch_object($row_object); 
$actual_row_count = $row_object->rowcount; 
$result = $actual_row_count; 
?>

Diplaying结果

<?php 
if ($result>0) 
{ 
    while ($row = mysql_fetch_array($qry)){ 
$title=$row['title']; 
$href=$row['href']; 
$img=$row['img']; 
echo "<div class=\"col-sm-4\"><div class=\"product-image-wrapper\"><div class=\"single-products\"><div class=\"productinfo text-center\"><img src=\"$img\" alt=\"$title\"><h5>$title</h5><a href=\"$href\" target=_blank </a></div></div></div></div>\n"; 
} 
} 
else 
{ 
    echo "Sorry No Items Found For " .$k; 
} 
?>
+0

你做了任何研究,甚至一个简单的谷歌搜索?,你会发现很多关于这一主题的文章:)尝试“防止MySQL的PHP​​注入” –

首先避免使用mysql_*这些函数已被弃用,
你的代码对于SQL注入是易受攻击的,假设我是用户,并且如果我在输入%';#中输入,那么无论你有什么条件,你的查询都会返回所有结果适用于过滤结果,

为了避免将它放在你的查询之前,SQL注入您应该使用消毒所有mysqli_real_escape_string用户输入或使用PDO Prepared Statements

UPDATE

$k = $_GET["q"]; 
$con = mysql_connect("localhost", "root", ""); 
mysql_select_db("x"); 
$terms=explode(" ",$k); 
$i=0; 
$set_limit = ("9"); 
$subi = ""; 
foreach ($terms as $each) 

{ 
    $i++; 
    $escapedSearchString = mysql_real_escape_string($each); 
    if ($i == 1) 
     $subi.= " title LIKE '%$escapedSearchString%' "; 
    else 
     $subi.= " AND title LIKE '%$escapedSearchString%' "; 

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit"; 

$qry = mysql_query("$query"); 

$row_object = mysql_query("Select Found_Rows() as rowcount"); 
$row_object = mysql_fetch_object($row_object); 
$actual_row_count = $row_object->rowcount; 
$result = $actual_row_count;

使用mysqli_ *

$k = $_GET["q"]; 
$con = mysqli_connect("localhost", "root", ""); 
mysqli_select_db($con,"x"); 
$terms=explode(" ",$k); 
$i=0; 
$set_limit = ("9"); 
$subi = ""; 
foreach ($terms as $each) 

{ 
    $i++; 
    $escapedSearchString = mysqli_real_escape_string($con,$each); 
    if ($i == 1) 
     $subi.= " title LIKE '%$escapedSearchString%' "; 
    else 
     $subi.= " AND title LIKE '%$escapedSearchString%' "; 

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit"; 

$qry = mysqli_query($con,"$query"); 

$row_object = mysqli_query($con,"Select Found_Rows() as rowcount"); 
$row_object = mysqli_fetch_object($row_object); 
$actual_row_count = $row_object->rowcount; 
$result = $actual_row_count;
+0

现在我的代码是真正安全的..? ohh myy godd ... tnk u Sir ... – Subi

+1

@Subi,至少从SQL注入来看,如果您清理所有用户输入,SQL注入不再是威胁。更好的方法是使用'PDO预备声明' – Raja

+0

先生我是一名机械工程师...所以我不拥有更多的编程语言...这就是我问非常愚蠢的问题...先生先生... ...反正tnk u sooo多先生... – Subi

相关推荐