我一直试图让这个工作,但我不认为我的SQL设置正确。
例如,我试图从URL中获取搜索词,然后使用预准备语句插入它,以便在数据库中安全使用。
首先,我从会话中调用他们拥有的产品的用户ID。
然后我检查他们是否有超过1个项目,如果他们我设置了一个数组并插入数据库,如果他们没有超过1项,那么我只需插入数据库来检索数据。
我将其设置为变量的原因是因为它被发送到分页类,因此它会对结果进行分页。
这是html的标题:
<?php
$searchword = $urlmaker->geturlandsearch($_GET["search"]);
$findcomma = strpos($_SESSION["SESS_USERSPRODUCTIDS"], ",");
if($findcomma == true){
$userproductid = explode(',', $_SESSION["SESS_USERSPRODUCTIDS"]);
$prep = array(':like' => "%$searchword%", ':like2' => "%$searchword%");
$q = '';
$e = '';
$i = 1;
foreach($userproductid as $productid){
$q .= 'productid=:productid' . $i . ' || ';
$prep[":productid{$i}"] = $productid;
$i++;
}
$q = rtrim($q, " || ");
} else {
$q = 'productid=:productid';
$prep = array(':productid' => $_SESSION["SESS_USERSPRODUCTIDS"], ':like' => "%$searchword%", ':like2' => "%$searchword%");
}
$maxlimit = 15;
$geturi = "/Search-Forum/" . $_GET['search'] . "/";
$string = "SELECT id,title,date,username,viewcount,replycount,replyuser,replydate FROM forum_topics WHERE " . $q . " AND title LIKE :like OR content like :like2 ORDER BY replydate DESC";
$pagstring = "SELECT id FROM forum_topics WHERE " . $q . " AND title LIKE :like OR content like :like2";
$pagurl = $geturi;
这是前端代码:
<?php
$topicQuery = $pagination->paginatedQuery($pdo, $string, $maxlimit, $prep);
if($topicQuery != "no query"){
while($fetchquery = $topicQuery->fetch()) {
$topicid = stripslashes($fetchquery["id"]);
$topictitle = stripslashes($fetchquery["title"]);
$topicdate = stripslashes($fetchquery["date"]);
$topicusername = stripslashes($fetchquery["username"]);
$topicviewcount = stripslashes($fetchquery["viewcount"]);
$topicreplycount = stripslashes($fetchquery["replycount"]);
$topicreplyuser = stripslashes($fetchquery["replyuser"]);
$topicreplydate = stripslashes($fetchquery["replydate"]);
?>
<li>
<div class="topiclisttitle"><p><b><a href="<?php echo '/Forum-'.$_GET["forumid"].'/Product-'.$_GET["productid"].'/' . $urlmaker->sluggify($topictitle); ?>/<?php echo $topicid ; ?>/<?php echo $_GET["proid"]; ?>/"><?php echo ucwords($topictitle); ?></a></b><br><?php echo $topicusername ; ?> on <?php echo $betterTime->dateAndtime($topicdate); ?></p></div>
<div class="topiclistview"><p><b><?php echo $topicviewcount ; ?></b><br>Views</p></div>
<div class="topiclistview"><p><b><?php echo $topicreplycount ; ?></b><br>Replies</p></div>
<div class="topiclistlastposted"><?php if(!empty($topicreplyuser)){ ?><p>By: <b><?php echo $topicreplyuser ; ?></b> On<br><?php echo $betterTime->dateAndtime($topicreplydate); ?></p><?php } else { ?><p>By: <b><?php echo $topicusername ; ?></b> On<br><?php echo $betterTime->dateAndtime($topicreplydate); ?></p><?php } ?></div>
</li>
<?php } } else { ?>
<li><p class="morepadding">No Topics Regarding Your Search Words :(</p></li>
<?php } ?>
以下是分页类的数据库输入:
$freebiesquery = $pdo->prepare($string . " LIMIT " . $maxlimit);
$freebiesquery->execute($prep);
$freebiesquery_num = $freebiesquery->rowCount();
所有这些都适用于其他页面,所以它必须是我做代码的标题部分的方式,首先是我形成sql查询的方式。
我得到的唯一错误如下:
警告:PDOStatement :: execute():SQLSTATE [HY093]:参数号无效:绑定变量数与数字不匹配
和
警告:PDOStatement :: execute():SQLSTATE [HY093]:参数号无效
但是这不能像我一样计算他们并且他们是一样的吗?
答案 0 :(得分:1)
将包含=>的字符串放入数组中不会产生关联。 =>是数组文字语法的一部分,它们必须在字符串之外。
替换:
$prep[] = "':productid{$i}' => {$productid}";
使用:
$prep[":productid{$i}"] = $productid};
替换:
$e = "':productid' =>" . $_SESSION["SESS_USERSPRODUCTIDS"];
使用:
$prep = array(':productid' => $_SESSION["SESS_USERSPRODUCTIDS"]);
替换:
$prep = array($e, ':like' => "%$searchword%", ':like2' => "%$searchword%");
使用:
$prep[':like'] = "%$searchword%";
$prep[':like2'] = "%$searchword%";