此JavaScript/AJAX在我的本地主机服务器上工作,但是当我将它移动到共享主机时,它现在会抛出一个调用成员函数的错误execute()在MySQL调用中。在使用AJAX时不能正确转义引号
的HTML:
onclick="showTrending('page_views DESC', 'product.active= "y"
AND product.deleted= "n" ', '12', 'popular')"
,然后的JavaScript:
function showTrending(mysql_order, mysql_limit, limit, trend)
{
$.ajax({ type: "POST",
url: '/ajax/product_trending.php',
data: {Mysql_Order: mysql_order, Mysql_Limit: mysql_limit, Limit: limit},
cache: false,
success: function(result) {
// if productSubType array is defined and has at least one element, display subcategory list
if(result != 0){...
和被称为AJAX的PHP文件被示数出来:
//Retrieve subcategories for supplied product type
if(isset($_POST['Mysql_Order']) && isset($_POST['Mysql_Limit'])
&& isset($_POST['Limit'])){
$mysql_order = $_POST['Mysql_Order'];
$mysql_limit = $_POST['Mysql_Limit'];
$limit = $_POST['Limit'];
//Overlay for wishlist
if(!isset($_SESSION['email'])){
$item_wishlist = NULL;
} else{
$item_wishlist = $_SESSION['id'];
}
//Get product records from db
require_once($GLOBALS['domain'].'includes/connection.inc.php');
$db = dbConnect();
$stmt = $db->stmt_init();
$stmt = $db->prepare("SELECT product.id, product.image_thumb, product.title,
product.eng_title, product.price, seller.shop_name, seller.id FROM product
INNER JOIN seller ON product.seller_id=seller.id WHERE $mysql_limit ORDER BY
$mysql_order LIMIT 0,$limit"); <-- This is the part that errors
$stmt->execute();
$stmt->bind_result($row['product_id'], $row['image_thumb'], $row['title'],
$row['eng_title'], $row['price'], $row['shop_name'], $row['seller_id']);
$counter = 0;
$product_array = array();
while ($stmt->fetch()){
...store variables
$counter++;
}
if($counter > 0){
echo json_encode($product_array);
}else{
echo json_encode(0);
}
}
问题是当我插入从HTML传递的POST变量时,我没有正确准备MySQL字符串。我测试并确认,如果我只是写MySQL的以下工作原理:
"SELECT product.id, product.image_thumb, product.title,
product.eng_title, product.price, seller.shop_name, seller.id FROM product
INNER JOIN seller ON product.seller_id=seller.id WHERE product.active= 'y'
AND product.deleted= 'n' ORDER BY
page_views DESC LIMIT 0,12"
如何我应该写初始HTML调用正确的,所以我得到在MySQL中期望的结果?
尽管使用了MySQLi准备好的语句,但您将获得它的好处,事实上,您的脚本仍然容易受到SQL注入的影响。在HTTP请求中发送SQL片段以构建服务器端是一个糟糕的主意。 –
因此,只需在这些片段上使用bind_param,而不是直接在bind_result中插入它们将解决此问题? – vinsanity38
@ vinsanity38不,它不会解决它。你不能绑定像'product.active ='y''这样的任意SQL片段作为参数。它必须被绑定为'product.active =?'而且你不能绑定'ORDER BY'列的名字或方向。你真的需要重新思考AJAX如何通知PHP应该如何进入SQL,而不是通过AJAX发送SQL> –