Mysqli准备语句图像提取错误

Question

简单地说，从mysqli中的路径搜索和渲染图像就像这样工作：

<?php

$DBServer = 'localhost'; // e.g 'localhost' or '192.168.1.100'
$DBUser   = 'root';
$DBPass   = '';
$DBName   = 'water';
$conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName);

// check connection
if ($conn->connect_error) {
  trigger_error('Database connection failed: '  . $conn->connect_error, E_USER_ERROR);
}

$image = $GET['image'];

$sql = " SELECT kiti FROM `database` WHERE value LIKE '%$image%' ";

if(!$result = $conn->query($sql)){
    die('There was an error running the query [' . $conn->error . ']');
}
$file_path = 'photos/';

while($row = $result->fetch_assoc()){
    $src=$file_path.'/'.$row["key"];

     echo '<img class="myimg" src="'.$src.'" alt="There ya go" width="100" height="100" />';
   }

$conn->close();

  ?>

但由于sql注入恐惧，创建它就像准备好的语句，但它不是取图像，请帮忙：

<?php

$DBServer = 'localhost'; // e.g 'localhost' or '192.168.1.100'
$DBUser   = 'root';
$DBPass   = '';
$DBName   = 'water';
$conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName);

// check connection
if ($conn->connect_error) {
  trigger_error('Database connection failed: '  . $conn->connect_error, E_USER_ERROR);
}

$image = $GET['image'];

if ($stmt = $conn->prepare("SELECT kiti FROM `database` WHERE value=?")) {

    // Bind a variable to the parameter as a string. 
    $stmt->bind_param("s", $image);

    // Execute the statement.
    $stmt->execute();
    $stmt->bind_result($key);
   // Fetch the data.
    $stmt->fetch();

   $result = $stmt->get_result();

   $file_path = 'photos/';
if ($stmt->num_rows >= "1") {
   while($row = $result->fetch_assoc()){
    $src=$file_path.'/'.$row["key"];

     echo '<img class="myimg" src="'.$src.'" alt="There ya go" width="100" height="100" />';
   }
 }else{

   echo "0 records found";
}
 // Close the prepared statement.
    $stmt->close();
    $conn->close();
}




}


 ?>

我尝试了很多，阅读了更多的帖子似乎没有错，但无法指出。

Answer 1

您应该添加更多错误处理。每个方法调用都可能失败，您的脚本应该对这种情况作出反应 例如。

没有其他分支

private abstract void Delete(ChildEntity line);
private abstract void Update(ChildEntity line);
private abstract void Create(ChildEntity line);

所以，如果准备失败，你永远不会知道。我的建议是（默认情况下）先做失败分支。

if ($stmt = $conn->prepare("SELECT key FROM `database` WHERE value=?")) {

我想知道你的“原始”代码是如何工作的，因为$stmt = $conn->prepare("SELECT key FROM `database` WHERE value=?") if (!$stmt) { someErrorHandlingHere(); } else if ( !$stmt->bind_param("s", $image) ) { someErrorHandlingHere(); } else if ( !$stmt->execute() ) { someErrorHandlingHere(); } else if ( !$stmt->bind_result($key) ) { someErrorHandlingHere(); } else ... 是mysql中的保留字/关键字，请参阅https://dev.mysql.com/doc/refman/5.5/en/keywords.html

Answer 2

$stmt->fetch();

$result = $stmt->get_result();

第一行已从结果集中提取一条记录 如果您的查询只返回一条记录，则没有任何内容可供取回的while循环 - ＆gt;零迭代。