我一直在努力学习一些PDO教程并将它们应用到我的网站上,但似乎没有任何工作,包括,我怀疑,我的理智还剩下什么......我有一个搜索页面,其中包含以下内容在旧的PHP中编写的表单。我还没有找到如何在PDO中重写它,但我怀疑它们在阅读其他帖子后不相容。
<form action="test_result2.php" method="post">
<?php
mysql_connect('localhost', 'user', 'password');
mysql_select_db('database');
$sql = "SELECT DISTINCT Country FROM engravers Where Country <>'' AND Country IS NOT NULL ORDER by Country";
$result = mysql_query($sql);
echo "<select name\\='Country'>";
echo "<option value='$_POST'>Country</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Country'] . "'>" . $row['Country'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Year FROM engravers Where Year <>'' AND Year IS NOT NULL ORDER by Year";
$result = mysql_query($sql);
echo "<select name\\='Year'>";
echo "<option value='$_POST'>Year</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Year'] . "'>" . $row['Year'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Engraver1Surname FROM engravers Where Engraver1Surname <> '' AND Engraver1Surname IS NOT NULL ORDER by Engraver1Surname";
$result = mysql_query($sql);
echo "<select name\\='Engraver1Surname'>";
echo "<option value='$_POST'>Engraver</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Engraver1Surname'] . "'>" . $row['Engraver1Surname'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Designer1Surname FROM engravers Where Designer1Surname <>'' AND Designer1Surname IS NOT NULL ORDER by Designer1Surname";
$result = mysql_query($sql);
echo "<select name\\='Designer1Surname'>";
echo "<option value='$_POST'>Designer</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Designer1Surname'] . "'>" . $row['Designer1Surname'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Printer FROM engravers Where Printer <>'' AND Printer IS NOT NULL ORDER by Printer";
$result = mysql_query($sql);
echo "<select name\\='Printer'>";
echo "<option value='$_POST'>Printer</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Printer'] . "'>" . $row['Printer'] . "</option>";
}
echo "</select>";
?>
<input type="submit" />
</form>
</body>
这似乎工作正常,所以我希望我仍然可以使用它。我正在尝试学习如何在结果页面中使用PDO来防止注入,因为我已经发出严重警告,说我的旧代码容易受到攻击。我提出的是以下内容。我知道这是错误的,因为它不起作用,但我无法解决它出错的地方。
<?php
$db = new PDO('mysql:host=localhost;dbname=database;charset=utf8', 'user', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
foreach($db->query("SELECT * FROM engravers WHERE $Country = $_POST['Country']", $Year = $_POST['Year'], $Engraver1Surname = $_POST['Engraver1Surname'], $Designer1Surname = $_POST['Designer1Surname]', $Printer = $_POST['Printer']);
as $row) {
echo $row['Country'].' '.$row['Year'].' '.$row['Engraver1Surname'].' '.$row['Designer1Surname'].' '.$row['Printer']; //etc...
}
?>
我完全走错了路吗?