使用PHP从SQL检索数据

时间:2015-05-12 15:57:09

标签: php html heredoc

第一个链接转到我问过的有关使用Heredoc语法I am unable to fix an issue concerning an HEREDOC syntax error的问题的问题

第二个链接涉及与上述链接非常相​​似的问题 Issue with heredoc and PHP

我遇到了一个关于从php页面中的数据库中检索数据的问题。问题与Heredoc无关,Heredoc在代码中,但问题是由于sql语法错误引起的。

<?php
     // riceve l'identifictivo di un regista e ne restituisce il nome completo
    function get_director($director_id) {

        global $db;

        $query = 'SELECT
                people_fullname
            FROM
                people
            WHERE
                people_id = ' . $director_id;
        $result = mysql_query($query, $db) or die(mysql_error($db));

        $row = mysql_fetch_assoc($result);
        extract($row);

        return $people_fullname;
    }

    // riceve l'identificativo di un attore principale e ne restituisce il nome 
    // completo
    function get_leadactor($leadactor_id) {

        global $db;

        $query = 'SELECT
                people_fullname
            FROM
                people
            WHERE
               people_id = ' . $leadactor_id;
        $result = mysql_query($query, $db) or die(mysql_error($db));

        $row = mysql_fetch_assoc($result);
        extract($row);

        return $people_fullname;                 
    }

    // riceve l'identificativo di un tipo di film e ne restituisce la 
    //descrizione
    function get_movie($type_id) {

        global $db;

        $query = 'SELECT
                movietype_label
            FROM
                movietype
            WHERE
                movietype_id = ' . $type_id;
        $result = mysql_query($query, $db) or die(mysql_error($db));

        $row = mysql_fetch_assoc($result);
        extract($row);

        return $movietype_label;
    }

    // funziona per calcolare se un film ha generato un profitto, una perdita o è
    // in pareggio
    function calculate_differences($takings, $cost) {

        $difference = $takings - $cost;

        if ($difference < 0) {
            $color = 'red';
            $difference = '$' . abs($difference) . ' million';
        } elseif ($difference > 0) {
            $color ='green';
            $difference = '$' . $difference . ' million';
        } else {
            $color = 'blue';
            $difference = 'broke even';
        }

        return '<span style="color:' . $color . ';">' . $difference . '</span>';        
    }

    // collegamento a MYSQL
    $db = mysql_connect('localhost', 'pippo', 'pluto') or 
        die ('Unable to connect. Check your connection parameters. ');
    mysql_select_db('moviesite', $db) or die(mysql_error($db));

    // recupera le informazioni
    $query = 'SELECT
            movie_name, movie_year, movie_director, movie_leadactor,
            movie_type, movie_running_time, movie_cost, movie_takings
        FROM
            movie
        WHERE
            movie_id = ' . $_GET['movie_id'];
    $result = mysql_query($query, $db) or die(mysql_error($db));

    $row = mysql_fetch_assoc($result);
    $movie_name        = $row['movie_name'];
    $movie_director    = get_director($row['movie_director']);
    $movie_leadactor   = get_leadactor($row['movie_leadactor']);
    $movie_year        = $row['movie_year'];
    $movie_running_time = $row['movie_running_time'] .' mins';
    $movie_takings     = $row['movie_takings'] . ' million';
    $movie_cost        = $row['movie_cost'] . ' million';
    $movie_health      = $calculate_differences($row['movie_takings'],
                              $row['movie_cost']);

    // mostra le informazioni
    echo <<<ENDHTML
    <html>
        <head>
             <title>Details and Reviews for: $movie_name</title>
        </head>
        <body>
        <div style="text-align: center;">
        <h2>$movie_name</h2>
        <h3><em>Details</em></h3>
        <table cellpadding="2" cellspacing="2"
         style="width: 70%; margin-left: auto; margin-right: auto;">
        <tr>
         <td><strong>Title</strong></strong></td>
         <td>$movie_name</td>
         <td><strong>Release Year</strong></strong></td>
         <td>$movie_year</td>
         </tr><tr>
         <td><strong>Movie Director</strong></td>
         <td>$movie_director</td>
         <td><strong>Cost</strong></td>
         <td>$$movie_cost<td/>
         </tr><tr>
         <td><strong>Lead Actor</strong></td>
         <td>$movie_leadactor</td>
         <td><strong>Takings</strong></td>
         <td>$$movie_takings<td/>
         </tr><tr>
         <td><strong>Running Time</strong></td>
         <td>$movie_running_time</td>
         <td><strong>Health</strong></td>
         <td>$movie_health<td/>
        </tr>
      </table></div>
      </body>
    </html>
ENDHTML;
?>

这是我正在处理的语法错误:

  

您的SQL语法有错误;检查与MySQL服务器版本对应的手册,以便在第7行的''附近使用正确的语法

1 个答案:

答案 0 :(得分:1)

好的,这是一个快速修复。它使代码安全或安全很少,但它将有助于此错误,至少可以防止一个注入问题。

在代码的顶部,您需要检查$_GET['movie_id'] XFINIUM.PDF。如果使用简单的isset检查来阻止url中的值不是数字,那么这也是谨慎的做法。如果传递的id不是数字(作为id应该是),那么它就像没有被传递一样好。我可能会像三元语句一样使用更简洁的东西,但这对于新的人来说更具可读性和可理解性。在构建并运行第一个查询之前(可以在声明函数之前或之后),将类似的内容放在脚本的顶部:

//if the movie id was passed in the url and is a number
if(isset($_GET['movie_id']) && is_numeric($_GET['movie_id'])){
    //get it
    $movie_id = $_GET['movie_id'];
} else {
    //stop the code and display error.
    die("Movie id not found.");
}

然后在查询中向下,将$_GET['movie_id']替换为变量$movie_id

我看到的另一个问题是你有并且会遇到,$calculate_differences是函数名,而不是变量。从之前删除$

此外,您应该检查第一个查询的结果是否包含is_numeric的任何行。完全有可能有人传递了不存在的电影ID。

相关问题
最新问题