Question

我试图通过解析URL并设置基线来设置查询：

class CatalogHandler extends DB{ 
public function getCatalog(){
    $URL=$_SERVER['REQUEST_URI'];
    $catalog=basename($URL);
    return $catalog;
}
....}

这会返回“硒鼓”。这就是我需要的所以我设置mysql查询来设置页面的元数据

include('CatalogHandler.php');
include('DBconfig.php');

$config = new DBconfig('localhost','setuser','a11235813b','setua');
$catalog = new CatalogHandler($config);
$catalogname=$catalog->getCatalog();
$catalog->openConnection(); //Nothing special just open mysqlconnection
$query="SELECT * FROM metaandtitlecatalogs WHERE Cat in ('".$catalogname."');"; //Problem goes here
$sql=$catalog->query($query); //added to the end of the issue
$hasRows = $catalog->countRows($sql); //here I'm getting Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in \home\localhost\www\setua\DB.php
echo "hasrows:".$hasRows;

以下是我使用的功能。

class DB{
public function query($query){
    $query = str_replace("}", "", $query);
    $query = str_replace("{", $this->config->prefix, $query);
    try{
        if(empty($this->connection)){
            $this->openConnection();

            if($this->config->connector == "mysql"){
                $this->lastQuery = mysql_query($this->ecapeString($query));
            }
            elseif($this->config->connector == "mysqli"){
                $this->lastQuery = mysqli_query($this->connection, $this->ecapeString($query));
            }
            $this->closeConnection();

            return $this->lastQuery;
        }
        else{
            if($this->config->connector == "mysql"){
                $this->lastQuery = mysql_query($this->ecapeString($query));
            }
            elseif($this->config->connector == "mysqli"){
                $this->lastQuery = mysqli_query($this->connection, $this->ecapeString($query));
            }
            return $this->lastQuery;
        }
    }
    catch(exception $e){
        return $e;
    }
public function countRows($result){
    try{
        if($this->config->connector == "mysql"){
            return mysql_num_rows($result);
        }
        elseif($this->config->connector == "mysqli"){
            return mysqli_num_rows($result);
        }
    }
    catch(exception $e){
        return $e;
    }
}
}

}

此外，我认为这很重要，如果查询变为＆＃34; ...其中ID在（1）＆＃34;一切顺利。可能这是一个逃避的问题，好像插入了硬编码的名称而不是＆＃39;＆＃34;。$ catalogname。＆＃34;＆＃39;出现问题。试图使用和转义双引号 - 再现:(
直接在DB中执行此查询会返回相应的结果

Answer 1

你没有显示你班级的方法ecapeString（），但我认为你误解了逃避的问题。如果连接字符串，则不会引用整个sql语句，而是引用值。在您的情况下，结果语句将类似于

SELECT * FROM metaandtitlecatalogs WHERE Cat in (\'cartridges\');

而不是

SELECT * FROM metaandtitlecatalogs WHERE Cat in ('cartridges');

将mysqli或PDO与预处理语句和参数一起使用是个好主意。

php无法执行mysql查询转义

1 个答案: