如何将下面的mysql脚本转换为mysqli或pdo?
问题描述:
有人请转换我的下面的php + mysql搜索脚本为php + mysqli或php + Pdo声明...我不知道如何做到这一点...请帮助我... Tnx提前...如何将下面的mysql脚本转换为mysqli或pdo?
我的形式脚本
<html>
<head>
<title>search engine</title>
</head>
<body>
<form action = 'ss.php' method ='GET'>
<input type = "text" name = "q">
<input type = "submit" name = "submit" value = "search"
</body>
</html>
而且我的搜索引擎脚本是
<?php
$k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each)
{
$i++;
if ($i == 1)
$subi.= " title LIKE '%$each%' ";
else
$subi.= " AND title LIKE '%$each%' ";
}
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit";
$qry = mysql_query("$query");
$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
?>
Diplaying结果
<?php
if ($result>0)
{
while ($row = mysql_fetch_array($qry)){
$title=$row['title'];
$href=$row['href'];
$img=$row['img'];
echo "<div class=\"col-sm-4\"><div class=\"product-image-wrapper\"><div class=\"single-products\"><div class=\"productinfo text-center\"><img src=\"$img\" alt=\"$title\"><h5>$title</h5><a href=\"$href\" target=_blank </a></div></div></div></div>\n";
}
}
else
{
echo "Sorry No Items Found For " .$k;
}
?>
答
首先避免使用mysql_*
这些函数已被弃用,
你的代码对于SQL注入是易受攻击的,假设我是用户,并且如果我在输入%';#
中输入,那么无论你有什么条件,你的查询都会返回所有结果适用于过滤结果,
为了避免将它放在你的查询之前,SQL注入您应该使用消毒所有mysqli_real_escape_string
用户输入或使用PDO Prepared Statements
UPDATE
$k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each)
{
$i++;
$escapedSearchString = mysql_real_escape_string($each);
if ($i == 1)
$subi.= " title LIKE '%$escapedSearchString%' ";
else
$subi.= " AND title LIKE '%$escapedSearchString%' ";
}
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit";
$qry = mysql_query("$query");
$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
使用mysqli_ *
$k = $_GET["q"];
$con = mysqli_connect("localhost", "root", "");
mysqli_select_db($con,"x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each)
{
$i++;
$escapedSearchString = mysqli_real_escape_string($con,$each);
if ($i == 1)
$subi.= " title LIKE '%$escapedSearchString%' ";
else
$subi.= " AND title LIKE '%$escapedSearchString%' ";
}
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by rand() limit $set_limit";
$qry = mysqli_query($con,"$query");
$row_object = mysqli_query($con,"Select Found_Rows() as rowcount");
$row_object = mysqli_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
你做了任何研究,甚至一个简单的谷歌搜索?,你会发现很多关于这一主题的文章:)尝试“防止MySQL的PHP注入” –