Php 来自表单输入的数组-Select语句MySQLi参数化
使用MySQLi将表单输入中输入的短语转换为数组,以传递到MySQL select语句where子句中。我的php代码实现了这一点,但我无法解决如何参数化查询以防止sql注入攻击。我已经在这个网站上查看了一些问题,但我很难将其与我的代码联系起来Php 来自表单输入的数组-Select语句MySQLi参数化,php,mysqli,sql-injection,Php,Mysqli,Sql Injection,使用MySQLi将表单输入中输入的短语转换为数组,以传递到MySQL select语句where子句中。我的php代码实现了这一点,但我无法解决如何参数化查询以防止sql注入攻击。我已经在这个网站上查看了一些问题,但我很难将其与我的代码联系起来 if(!empty($_POST['Message'])) { $searchStr = get_post($con,'Message'); $aKeyword = explode(" ", $searchStr);
if(!empty($_POST['Message']))
{
$searchStr = get_post($con,'Message');
$aKeyword = explode(" ", $searchStr);
$query ="SELECT m.ID, m.MessageText FROM MessageMain m LEFT OUTER JOIN Likes l on m.ID = l.PostID WHERE MessageText LIKE '%" . $aKeyword[0] . "%'";
for($i = 1; $i < count($aKeyword); $i++) {
if(!empty($aKeyword[$i])) {
$query .= " OR MessageText like '%" . $aKeyword[$i] . "%'";
}
}
$query .= " GROUP BY m.ID, m.MessageText ORDER BY count(m.id) desc";
$result = $con->query($query);
$rowcount=mysqli_num_rows($result);
if(!empty($\u POST['Message']))
{
$searchStr=get_post($con,'Message');
$aKeyword=explode(“,$searchStr);
$query=“从MessageMain中选择m.ID,m.MessageText m LEFT OUTER JOIN Likes l on m.ID=l.PostID,其中MessageText类似“%”,$aKeyword[0]。“%”;
对于($i=1;$iquery($query);
$rowcount=mysqli\u num\u行($result);
如果您想根据要匹配的关键字数量动态构建WHERE
子句,您可以这样做:
if (!empty($_POST['Message'])) {
$searchStr = get_post($con, 'Message');
$aKeyword = explode(" ", $searchStr);
$whereClauseArr = [];
foreach ($aKeyword as $keyword) {
if ($keyword) {
$whereClauseArr[] = "MessageText LIKE ?";
$whereValues[] = '%'.$keyword.'%';
}
}
$stmt = $con->prepare(
'SELECT m.ID, m.MessageText
FROM MessageMain m
LEFT OUTER JOIN Likes l on m.ID = l.PostID
WHERE '.implode(' OR ', $whereClauseArr).'
GROUP BY m.ID, m.MessageText ORDER BY count(m.id) desc'
);
$stmt->bind_param(str_repeat('s', count($whereValues)), ...$whereValues);
$stmt->execute();
$result = $stmt->get_result();
}
尽管在您的情况下,使用正则表达式检查同一列与多个值可能会更好。这将使您的查询更简单,并且可能更快,具体取决于您拥有的关键字数量
if (!empty($_POST['Message'])) {
$searchStr = get_post($con, 'Message');
$aKeyword = explode(" ", $searchStr);
$aKeyword = array_filter($aKeyword); // Remove empty values
$stmt = $con->prepare(
'SELECT m.ID, m.MessageText
FROM MessageMain m
LEFT OUTER JOIN Likes l on m.ID = l.PostID
WHERE MessageText REGEXP ?
GROUP BY m.ID, m.MessageText ORDER BY count(m.id) desc'
);
$regexString = implode('|', $aKeyword);
$stmt->bind_param('s', $regexString);
$stmt->execute();
$result = $stmt->get_result();
}
谢谢你的上述。你的代码没有修改:)我学到了一些非常酷和有用的东西。再次感谢。我使用了REGEXP的答案,只是为了说!