我有庞大的数据库,其中包含有关测试代码的学生信息以及为这些测试代码实现的标记。我需要为每个测试代码对应的学生重新计算百分位数。我有一系列测试代码的代码,但它无法正常工作。
function recompute_percentiles()
{
if($_REQUEST[testcode]=="CAT B1" or $_REQUEST[testcode]=="CAT B2" or $_REQUEST[testcode]=="CAT B3" or $_REQUEST[testcode]=="CAT B4")
{
echo "<br />Got testcode: ".$_REQUEST[testcode];
$getsortedq=mysql_query("SELECT username, section1right as m from kmarks where testcode='.$_REQUEST[testcode].' order by section1right DESC");
if(!$getsortedq)
echo "Could not get the sorted query";
else
echo "got the sorted query quick";
$totalcount=mysql_num_rows($getsortedq);
while($r=mysql_fetch_array($getsortedq))
{
$u=$r[username];
$m=$r[m];
$array[$u]=$m;
}
$array2=$array;
//print_r($array2);
$updated=0;
foreach($array as $key=>$value)
{
$countsame=0;
foreach($array2 as $k=>$v)
{
if($v>=$value)
$countsame++;
else
break;
}
$countless = $totalcount - $countsame;
reset($array2);
$percentile=round($countless/$totalcount*100,2);
$updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where username='.$key.' and testcode='.$_REQUEST[testcode].'");
if(!$updatep1q)
echo "<br />Could not update p1 for username: ".$key;
else
$updated++;
}
echo "<br />Updated ".$updated." records in kmarks db, out of ".$totalcount." records for testcode ".$_REQUEST[testcode];
}
}
答案 0 :(得分:2)
此代码存在多个严重问题 - 甚至没有触及功能......
$_REQUEST[testcode]
不好,总是使用牙套!
$_REQUEST['testcode']
您对SQL Injection和HTML/Javascript注射
非常开放echo "<br />Got testcode: ".$_REQUEST[testcode]; //HTML injection...
//SQL injection
$getsortedq=mysql_query("SELECT username, section1right as m from kmarks where testcode='.$_REQUEST[testcode].' order by section1right DESC");
始终使用正确的清理(mysql(i)_real_escape_string($_REQUEST['testcode'])
,具体取决于使用的mysql_或mysqli)。甚至更好:SQL案例中的预处理语句......
强制性的mysql_ *警告:自PHP 5.5起,不推荐使用 mysql _ 函数。 不要使用:使用PDO或至少 mysqli _ 函数...
这是罪魁祸首:
$updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where username='.$key.' and testcode='.$_REQUEST[testcode].'");
生成的查询将显示为:
UPDATE kmarks set percentile1=<somevalue> --this is OK
where username='.<somevalue>.' and testcode='.$_REQUEST[testcode].'
^ ^ ^^^^^^^^^^^^^^^^^^^^^
突出问题......有不需要的点,以及整个不好的部分。我想你想要这样的东西
UPDATE kmarks set percentile1=<somevalue>
where username='<somevalue>' and testcode='<somevalue>'
这样使用它(当然是消毒!!!):
//WARNING! STILL HAS SQL INJECTION --apply sanitization from #2 to make it safer...
$updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where username='".$key."' and testcode='".$_REQUEST[testcode]."'");
不能在字符串文字中使用数组,并且在普通变量的情况下不需要.
连接运算符...
答案 1 :(得分:0)
好像很多代码。你可以这样做:
$results = $db->query("SELECT * FROM your_table ORDER BY sort_field");
$data = array();
while($row = $results->fetch_assoc()){
$data[] = $row;
}
$chunks = array_chunk($data,ceil((count($data)/100)));
foreach($chunks as $key => $dataset){
$percentile = 99 - $key;
foreach($dataset as $row){
$db->query("UPDATE your_table SET percentile={$percentile} WHERE id={$row['id']}");
}
}