我在MySQL中使用以下SQL查询。
"SELECT SUBSTRING(invoices.dateCreated, 1, 7) AS month,
account.name AS accountName,
account.id AS accountId,
invoices.invId AS invoiceId,
productType.title AS productTitle,
sum(invoiceItems.cost*invoiceItems.quantity) AS totalValue,
sum(invoiceItems.quantity) AS totalQuantity
FROM account LEFT JOIN invoices ON invoices.accountId = account.id
LEFT JOIN invoiceItems ON invoices.id = invoiceItems.invoiceId
LEFT JOIN productType ON invoiceItems.productTypeId = productType.id
WHERE invoices.statusId != 'S62FD452B1D4'
GROUP BY invoiceItems.productTypeId, invoices.invId
ORDER BY month DESC, accountName ASC, invoices.id ASC
LIMIT ".$start_limit.", ".$records_per_page.";"
这适用于限制查询的部分。但是,当我添加限制部分时,变量$start_limit& $records_per_page没有价值,而如果我jig,变量周围的线条进入查询。当我将变量周围的引号更改为'.$start_limit.'时也是这种情况。
但是,查询似乎不起作用。
对于我所做错的任何建议或帮助将不胜感激。
两个变量的值肯定是100%传入的。在这个例子中,它们只是,start limit = 0和end limit(每页)= 50。 我已经检查过,50远低于极限。
问题是,当我看到弹出的SQL错误时,它说:
SELECT SUBSTRING(invoices.dateCreated, 1, 7) AS month,
account.name AS accountName,
account.id AS accountId,
invoices.invId AS invoiceId,
productType.title AS productTitle,
sum(invoiceItems.cost*invoiceItems.quantity) AS totalValue,
sum(invoiceItems.quantity) AS totalQuantity
FROM account LEFT JOIN invoices ON invoices.accountId = account.id
LEFT JOIN invoiceItems ON invoices.id = invoiceItems.invoiceId
LEFT JOIN productType ON invoiceItems.productTypeId = productType.id
WHERE invoices.statusId != 'S62FD452B1D4'
GROUP BY invoiceItems.productTypeId, invoices.invId
ORDER BY month DESC, accountName ASC, invoices.id ASC
LIMIT , ;
如果我改变了一些东西,看看变量是否存在,我们得到:
SELECT SUBSTRING(invoices.dateCreated, 1, 7) AS month,
account.name AS accountName,
account.id AS accountId,
invoices.invId AS invoiceId,
productType.title AS productTitle,
sum(invoiceItems.cost*invoiceItems.quantity) AS totalValue,
sum(invoiceItems.quantity) AS totalQuantity
FROM account LEFT JOIN invoices ON invoices.accountId = account.id
LEFT JOIN invoiceItems ON invoices.id = invoiceItems.invoiceId
LEFT JOIN productType ON invoiceItems.productTypeId = productType.id
WHERE invoices.statusId != 'S62FD452B1D4'
GROUP BY invoiceItems.productTypeId, invoices.invId
ORDER BY month DESC, accountName ASC, invoices.id ASC
LIMIT '.0.', '.50.' ;
这些值都不是用户提供的。所以这不是太多的问题。我不确定为什么变量在这1个查询中表现异常,来自100个类似的1,我已经做了同样的事情。这一个的唯一区别是分组和排序的数量。这会有所作为吗?
答案 0 :(得分:1)
如果$start_limit和/或$records_per_page未填充,您将遇到问题。但是,如果您希望在将它们放入查询之前将它们默认为标准值:
// default them values to 0 and 50
$start_limit = empty($start_limit) ? 0 : $start_limit;
$records_per_page = empty($records_per_page) ? 50 : $records_per_page;
// may also want to check (empty(...) || $var < 0 || $var > $threshold) as well.
然后开展您的业务:
$sql = "SELECT " . /* ... */ " LIMIT " . $start_limit . "," . $records_per_page;
我应该注意,如果其中任何一个(或两者)都是用户提供的(或者用户有机会更改这些值),我会先将它们清理干净,然后再将它们放入查询中。 e.g。
$start_limit = (int) $_REQUEST['start_limit'];
if ($start_limit < 0) // can't be <0
$start_limit = 0;
$records_per_page = (int) $_REQUEST['records_per_page'];
if ($records_per_page < 10) // can't be <10
$records_per_page = 10;
else if ($records_per_page > 100) // can't be >100
$records_per_page = 100;
然后,您确保$start_limit不包含任何威胁;SELECT password FROM admin_table;的内容。 (SQL Injection)
你的问题有点含糊不清,所以如果我偏离轨道,请更新问题,我会对答案做同样的事情
答案 1 :(得分:0)
$start_limit和$records_per_page的值可能无效或超出范围。也许尝试记录它们以确定。
答案 2 :(得分:0)
你可以使用PDO扩展吗?
您的代码很容易出现SQL注入。使用PDO或MySQLi扩展。
使用PDO扩展的示例:
<?php
$query = "SELECT SUBSTRING(invoices.dateCreated, 1, 7) AS month, account.name AS accountName, account.id AS accountId, invoices.invId AS invoiceId, productType.title AS productTitle, sum(invoiceItems.cost*invoiceItems.quantity) AS totalValue, sum(invoiceItems.quantity) AS totalQuantity
FROM account
LEFT JOIN invoices ON invoices.accountId = account.id
LEFT JOIN invoiceItems ON invoices.id = invoiceItems.invoiceId
LEFT JOIN productType ON invoiceItems.productTypeId = productType.id
WHERE invoices.statusId != 'S62FD452B1D4'
GROUP BY invoiceItems.productTypeId, invoices.invId
ORDER BY month DESC, accountName ASC, invoices.id ASC
LIMIT ?, ?;"
$stmt = $dbh->prepare($query);
$stmt->bindParam(1, $start_limit, PDO::PARAM_INT);
$stmt->bindParam(2, $records_per_page, PDO::PARAM_INT);
$stmt->execute();
// other codes here
?>