我正在将sql查询转换为准备语句以防止sql注入。为准备好的SQL语句添加一个偏移量PDO
我试图使用从this question
的信息,我没有得到任何错误,但没有接收到任何数据。我甚至console.log(html);
本来我是用这个(效果很好。)
<?php
$db_host = "localhost";
$db_user = "";
$db_pass = "";
$db_name = "";
try
{
$DB_con = new PDO("mysql:host={$db_host};dbname={$db_name}",$db_user,$db_pass);
$DB_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $exception)
{
echo $exception->getMessage();
}
?>
$limit = (intval($_GET['limit']) != 0) ? $_GET['limit'] : 5;
$offset = (intval($_GET['offset']) != 0) ? $_GET['offset'] : 0;
$sql = "SELECT * FROM wuno_inventory WHERE 1 ORDER BY id ASC LIMIT $limit OFFSET $offset";
try {
$stmt = $DB_con->prepare($sql);
$stmt->execute();
$results = $stmt->fetchAll();
}
catch (Exception $ex) {
echo $ex->getMessage();
}
if (count($results) > 0) {
foreach ($results as $res) {
echo '<tr class="invent">';
echo '<td>' . $res['wuno_product'] . '</td>';
echo '<td>' . $res['wuno_alternates'] . '</td>';
echo '<td>' . $res['wuno_description'] . '</td>';
echo '<td>' . $res['wuno_onhand'] . '</td>';
echo '<td>' . $res['wuno_condition'] . '</td>';
echo '</tr>';
}
}
?>
而现在,我想使安全,因为在我上面,我是这样引用的回答表明,
$limit = (intval($_GET['limit']) != 0) ? $_GET['limit'] : 5;
$offset = (intval($_GET['offset']) != 0) ? $_GET['offset'] : 0;
$stmt = $DB_con->prepare("SELECT * FROM wuno_inventory WHERE 1 ORDER BY id ASC LIMIT :limit, :offset");
$stmt->bindValue(':limit', (int) trim($_GET['limit']), PDO::PARAM_INT);
$stmt->bindValue(':offset', (int) trim($_GET['offset']), PDO::PARAM_INT);
try {
$stmt->execute();
$results = $stmt->fetchAll();
}
catch (Exception $ex) {
echo $ex->getMessage();
}
将查询更改为此时未收到任何数据。如何绑定限制和偏移量以将其从语句中删除并使我的查询更安全。
我也试过,
$stmt->bindParam(':limit', (int) trim($_GET['limit']), PDO::PARAM_INT);
$stmt->bindParam(':offset', (int) trim($_GET['offset']),PDO::PARAM_INT);
<script type="text/javascript">
jQuery(document).ready(function($) {
var busy = true;
var limit = 5;
var offset = 0;
var itemID = $("#itemID").val();
var assetPath = "<?php echo $assetPath ?>";
var searchPath = "<?php echo $searchPath ?>";
function displayRecords(lim, off) {
jQuery.ajax({
type: "GET",
async: false,
url: assetPath,
data: "limit=" + lim + "&offset=" + off,
cache: false,
beforeSend: function() {
$("#loader_message").html("").hide();
$('#loader_image').show();
},
success: function(html) {
console.log(html);
$("#productResults").append(html);
$('#loader_image').hide();
if (html === null) {
$("#loader_message").html('<button data-atr="nodata" class="btn btn-default" type="button">No more records.</button>').show();
} else {
console.log(html);
$("#loader_message").html('Loading... <img src="../wp-content/uploads/2016/02/loading.gif" alt="Loading" alt="Loading">').show();
}
window.busy = false;
}
});
}
(function($) {
$(document).ready(function() {
if (busy === true) {
displayRecords(limit, offset);
busy = false;
}
});
})(jQuery);
(function($) {
$(document).ready(function() {
$(window).scroll(function() {
if ($(window).scrollTop() + $(window).height() > $("#productResults").height() && !busy) {
offset = limit + offset;
displayRecords(limit, offset);
}
});
});
})(jQuery);
});
</script>
HTML
<table id="prods" class="display table center-table" width="100%" >
<thead>
<tr>
<th>Product #</th>
<th>Alternate #</th>
<th>Description</th>
<th>On Hand</th>
<th>Condition</th>
</tr>
</thead>
<tbody id="productResults">
</tbody>
</table>
也许有用吗? [LIMIT中的bindValue如何?](http://stackoverflow.com/a/18063491/3184785)。 _duplicate?_ see _Linked_(本页右侧) –
谢谢我会看看 – wuno