通过按下链接并转义反斜杠来运行MySQL查询

时间:2017-04-16 21:10:32

标签: php mysql

我在下面有这个PHP代码,它在HTML表格中输出MySQL查询的结果。此外,在表中,我创建了将在另一个查询中使用的结果的链接。让我们来看看代码:

<?php
/* Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
$link = mysqli_connect("localhost", "root", "root", "DB1");

// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}

// Attempt select query execution
$sql = "SELECT * FROM fileDB";
if($result = mysqli_query($link, $sql)){
    if(mysqli_num_rows($result) > 0){
        echo "<table>";
            echo "<tr>";
                echo "<th>filename</th>";
                echo "<th>filepath</th>";
                echo "<th>size</th>";
            echo "</tr>";
        while($row = mysqli_fetch_array($result)){
            echo "<tr>";
                echo "<td><a href='http://mysecreturl.com/test.php?path=" . $row['filepath'] . "'>" . $row['filename'] . "<a/></td>";
                echo "<td>" . $row['filepath'] . "</td>";
                echo "<td>" . $row['size'] . "</td>";
            echo "</tr>";
        }
        echo "</table>";
        // Free result set
        mysqli_free_result($result);
    } else{
        echo "No records matching your query were found.";
    }
} else{
    echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}

// Close connection
mysqli_close($link);
?>

此代码按预期工作,但现在出现问题:我想实现以下内容:单击链接后,应执行另一个查询,这个查询具体:SELECT * FROM fileDB WHERE filepath = 'the one sent from the link'。我想从链接中使用类似$_GET["filepath"]的东西来设置第二个查询中的文件路径。我有两个主要问题:

  1. 我不知道任何PHP,所以我不知道如何点击链接可以运行另一个查询并生成一个包含结果的新表。

  2. 重要的是要指出,filepath是一个Windows路径的字符串,因此它包含这样的反斜杠:C:\something\something等。当我在phpMyAdmin中手动查询时,我通过编写{转义反斜杠{1}}但是当从上面的代码中获取表中的结果时,字符串文件路径当然会有一对反斜杠(因为它保存在数据库中)。如果反斜杠显然需要转义,我怎么能执行我的第二个查询?

    3. 非常感谢任何帮助!

6 个答案:

答案 0 :(得分:2)

我以为你想下载一个文件。这个更简单:

if (isset($_GET["path"])) {
    $stmt = mysqli_prepare($link, "SELECT * FROM fileDB WHERE filepath = ?");
    mysqli_stmt_bind_param($stmt, "s", $_GET["path"]);          
}else{
    $stmt = mysqli_prepare($link, "SELECT * FROM fileDB");      
}
mysqli_stmt_execute($stmt);

if ($result = mysqli_stmt_get_result($stmt)) {
    if(mysqli_num_rows($result) > 0){
    ...

哦,还有一件事你应该在URL中转义查询组件

echo "<td><a href='http://mysecreturl.com/test.php?path=" . urlencode($row['filepath']) . "'>" . $row['filename'] . "<a/></td>";

答案 1 :(得分:1)

现在可以使用像<a href="yourpage.php?path='your_filepath'">这样的get方法来完成,然后在你的php中使用这个<?php if(isset($_GET['filepath'])){//Run your php query here}?>

答案 2 :(得分:0)

您可以这样做:

echo '<tr>
 <td><form method="get" action="test.php">
       <button type="submit" name="path" value="'.$row['filepath'].'">
'.$row['filename'].'</button>
</form></td>
<td>'.$row['filepath'].'</td>
<td>'.$row['size'].'</td>
</tr>';

未经测试,但理论上应该有效。为什么你在filename-table-cell中有链接,而不是在其中包含实际路径的table-cell中,但是你可以测试它并查看它是否有效。

然而,我会把它变成$ _POST,除非在地址栏中显示URI很重要。

答案 3 :(得分:0)

要回答第一个问题,您可以向链接添加变量,例如如果你想在链接中传递名字和姓氏,你可以这样做

<?php
$fname = "John"; // First name
$lname = "Doe"; // Last Name

echo "<a href='next_table.php?fname=$fname&lname=$lname'>Next Table</a>";
?>

然后在另一页上检索名字和姓氏,你可以使用它:

<?php
$fname = $_GET["fname"];
$lname = $_GET["lname"];
?>

如果有帮助,请告诉我。

答案 4 :(得分:0)

只是一个if语句来检查文件路径是否已设置,str_replace函数是否可以转义反斜杠。

   <?php
    /* Attempt MySQL server connection. Assuming you are running MySQL
    server with default setting (user 'root' with no password) */
    $link = mysqli_connect("localhost", "root", "root", "DB1");

    // Check connection
    if($link === false){
        die("ERROR: Could not connect. " . mysqli_connect_error());
    }

    // Attempt select query execution 
    // Check If filpath is set or not
    if(!isset($_GET['filepath']))
    { 
    $sql = "SELECT * FROM fileDB";
    }
   else
    {

    $filepath=$_GET['filepath'];
    //replace backlashes with double backlashes using str_replace
    $filepath=str_replace('\\','\\\/',$filepath);  
    $sql = "SELECT * FROM fileDB WHERE filepath='$filepath'";
    }
    if($result = mysqli_query($link, $sql)){
        if(mysqli_num_rows($result) > 0){
            echo "<table>";
                echo "<tr>";
                    echo "<th>filename</th>";
                    echo "<th>filepath</th>";
                    echo "<th>size</th>";
                echo "</tr>";
            while($row = mysqli_fetch_array($result)){
                echo "<tr>";
                    echo "<td><a href='http://mysecreturl.com/test.php?path=" . $row['filepath'] . "'>" . $row['filename'] . "<a/></td>";
                    echo "<td>" . $row['filepath'] . "</td>";
                    echo "<td>" . $row['size'] . "</td>";
                echo "</tr>";
            }
            echo "</table>";
            // Free result set
            mysqli_free_result($result);
        } else{
            echo "No records matching your query were found.";
        }
    } else{
        echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
    }



// Close connection
mysqli_close($link);
?>

答案 5 :(得分:-1)

更改代码:

// Attempt select query execution
$sql = "SELECT * FROM fileDB";
if($result = mysqli_query($link, $sql)){

要:

// Attempt select query execution
if(isset($_REQUEST['file']) && $_REQUEST['file'] !='') {
    $sql = "SELECT * FROM fileDB WHERE `file` = '".$_REQUEST['file']."';";
} else {
    $sql = "SELECT * FROM fileDB";
}
    if($result = mysqli_query($link, $sql)){

这应该传达基本的想法,但要关注使用参数化查询。

相关问题
最新问题