1. 首页
  2. 问答
  3. 为准备好的SQL语句添加一个偏移量PDO

为准备好的SQL语句添加一个偏移量PDO

2016-02-19 44 views
1

我正在将sql查询转换为准备语句以防止sql注入。为准备好的SQL语句添加一个偏移量PDO

我试图使用从this question

的信息,我没有得到任何错误,但没有接收到任何数据。我甚至console.log(html);

本来我是用这个(效果很好。)

<?php 

$db_host = "localhost"; 
$db_user = ""; 
$db_pass = ""; 
$db_name = ""; 

try 
{ 
    $DB_con = new PDO("mysql:host={$db_host};dbname={$db_name}",$db_user,$db_pass); 
    $DB_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
} 
catch(PDOException $exception) 
{ 
    echo $exception->getMessage(); 
} 
?> 

$limit = (intval($_GET['limit']) != 0) ? $_GET['limit'] : 5; 
$offset = (intval($_GET['offset']) != 0) ? $_GET['offset'] : 0; 

$sql = "SELECT * FROM wuno_inventory WHERE 1 ORDER BY id ASC LIMIT $limit OFFSET $offset"; 
try { 
    $stmt = $DB_con->prepare($sql); 
    $stmt->execute(); 
    $results = $stmt->fetchAll(); 
} 
catch (Exception $ex) { 
    echo $ex->getMessage(); 
} 
if (count($results) > 0) { 
    foreach ($results as $res) { 
     echo '<tr class="invent">'; 
     echo '<td>' . $res['wuno_product'] . '</td>'; 
     echo '<td>' . $res['wuno_alternates'] . '</td>'; 
     echo '<td>' . $res['wuno_description'] . '</td>'; 
     echo '<td>' . $res['wuno_onhand'] . '</td>'; 
     echo '<td>' . $res['wuno_condition'] . '</td>'; 
     echo '</tr>'; 
    } 
} 
?>

而现在,我想使安全,因为在我上面,我是这样引用的回答表明,

$limit = (intval($_GET['limit']) != 0) ? $_GET['limit'] : 5; 
$offset = (intval($_GET['offset']) != 0) ? $_GET['offset'] : 0; 

$stmt = $DB_con->prepare("SELECT * FROM wuno_inventory WHERE 1 ORDER BY id ASC LIMIT :limit, :offset"); 
$stmt->bindValue(':limit', (int) trim($_GET['limit']), PDO::PARAM_INT); 
$stmt->bindValue(':offset', (int) trim($_GET['offset']), PDO::PARAM_INT); 
try { 
    $stmt->execute(); 
    $results = $stmt->fetchAll(); 
} 
catch (Exception $ex) { 
    echo $ex->getMessage(); 
}

将查询更改为此时未收到任何数据。如何绑定限制和偏移量以将其从语句中删除并使我的查询更安全。

我也试过,

$stmt->bindParam(':limit', (int) trim($_GET['limit']), PDO::PARAM_INT); 
$stmt->bindParam(':offset', (int) trim($_GET['offset']),PDO::PARAM_INT); 




<script type="text/javascript"> 
jQuery(document).ready(function($) { 
var busy = true; 
var limit = 5; 
var offset = 0; 
var itemID = $("#itemID").val(); 
var assetPath = "<?php echo $assetPath ?>"; 
var searchPath = "<?php echo $searchPath ?>"; 

function displayRecords(lim, off) { 
    jQuery.ajax({ 
      type: "GET", 
      async: false, 
      url: assetPath, 
      data: "limit=" + lim + "&offset=" + off, 
      cache: false, 
      beforeSend: function() { 
      $("#loader_message").html("").hide(); 
      $('#loader_image').show(); 
      }, 
      success: function(html) { 
console.log(html); 
      $("#productResults").append(html); 
      $('#loader_image').hide(); 
      if (html === null) { 
      $("#loader_message").html('<button data-atr="nodata" class="btn btn-default" type="button">No more records.</button>').show(); 
      } else { 
console.log(html); 
      $("#loader_message").html('Loading... <img src="../wp-content/uploads/2016/02/loading.gif" alt="Loading" alt="Loading">').show(); 
      } 
      window.busy = false; 
      } 
     }); 
} 

(function($) { 
$(document).ready(function() { 
if (busy === true) { 
    displayRecords(limit, offset); 
    busy = false; 
} 
}); 
})(jQuery); 



(function($) { 
$(document).ready(function() { 
$(window).scroll(function() { 
      if ($(window).scrollTop() + $(window).height() > $("#productResults").height() && !busy) { 
      offset = limit + offset; 
     displayRecords(limit, offset); 

      } 
}); 
}); 
})(jQuery); 
}); 
</script>

HTML

<table id="prods" class="display table center-table" width="100%" > 
       <thead> 
         <tr> 
          <th>Product #</th> 
          <th>Alternate #</th> 
          <th>Description</th> 
          <th>On Hand</th> 
         <th>Condition</th> 
         </tr> 
        </thead> 

       <tbody id="productResults"> 

       </tbody> 

      </table>

来源

2016-02-19 wuno

+0

也许有用吗? [LIMIT中的bindValue如何?](http://stackoverflow.com/a/18063491/3184785)。 _duplicate?_ see _Linked_(本页右侧) –

+0

谢谢我会看看 – wuno

回答

1

把你所有的变量操作之前bindValue调用。 (修剪可能是不必要的,因为您正在将其转换为int。)

try 
{ 
    $DB_con = new PDO("mysql:host={$db_host};dbname={$db_name}",$db_user,$db_pass); 
    $DB_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
} 
catch(PDOException $exception) 
{ 
    echo $exception->getMessage(); 
} 

$limit = (intval($_GET['limit']) != 0) ? (int) $_GET['limit'] : 5; 
$offset = (intval($_GET['offset']) != 0) ? (int) $_GET['offset'] : 0; 


try { 
    $stmt = $DB_con->prepare("SELECT * FROM wuno_inventory LIMIT :limit OFFSET :offset"); 
    $stmt->bindValue(':limit', $limit, PDO::PARAM_INT); 
    $stmt->bindValue(':offset', $offset, PDO::PARAM_INT); 
    $stmt->execute(); 
    $results = $stmt->fetchAll(); 
} 
catch (Exception $ex) { 
    echo $ex->getMessage(); 
} 
if (count($results) > 0) { 
    foreach ($results as $res) { 
     echo '<tr class="invent">'; 
     echo '<td>' . $res['wuno_product'] . '</td>'; 
     echo '<td>' . $res['wuno_alternates'] . '</td>'; 
     echo '<td>' . $res['wuno_description'] . '</td>'; 
     echo '<td>' . $res['wuno_onhand'] . '</td>'; 
     echo '<td>' . $res['wuno_condition'] . '</td>'; 
     echo '</tr>'; 
    } 
}

来源

2016-02-19 02:31:28 mkaatman

+0

奇怪。我有它设置加载5行。并在滚动加载更多。添加你的答案后,页面不会加载任何数据,但它会在我滚动时加载数据。 – wuno

+0

您必须发布更多代码,显示您的滚动加载程序如何帮助我排除故障。 – mkaatman

+0

确定我很好奇,但为什么它会在滚动上工作,而不是在加载,因为我们绑定,而不是将限制和偏移量放在查询中? – wuno

相关问题

 相关问题