Bindparam不适用于我的分页脚本

时间:2018-04-22 07:32:38

标签: php mysql

我找到了this脚本,因为可能容易受到sql注入攻击我试图使用bindparam starting_limit 变量但是无效。这是我的代码:

include("include/config.php");
include("include/functions.php");

$query = $connect->prepare("SELECT * FROM tutorials");
$query->execute();
$total_results = $query->rowCount();
$total_pages = ceil($total_results / $paglimit);
if (!isset($_GET["page"])) {
    $page = 1;
    $_GET["page"] = 1;
} else {
    $page = $_GET["page"];
}
$starting_limit = ($page - 1) * $paglimit;
?>
<!DOCTYPE html>
<html lang="en">

<body>
<div class="list-group mt-4 posts-list-custom">
<? $query = $connect->prepare("SELECT * FROM tutorials ORDER BY id DESC LIMIT :starting_limit , $paglimit"); $query->bindParam(":starting_limit", $starting_limit); $query->execute(); $result = $query->fetchAll(); foreach($result as $row) { ?>
<a href="<?=$tutorialsroot . str_replace(" ", "-", strtolower($row["title"])); ?>" class="list-group-item"><?=$row["title"];?></a>
<? } ?>
</div>
<ul class="pagination mt-3">
<? for ($page = 1; $page <= $total_pages ; $page++): ?>
<li class="page-item<? if($page == $_GET["page"]) { echo " active"; }?>"><a href="<?=$tutorialsroot . "?page=" . $page;?>" class="page-link"><?=$page;?></a></li>
<? endfor; ?>
</ul>
</body>
</html>

这是我得到的错误:

  

致命错误:未捕获的异常&#39; PDOException&#39;与消息   &#39; SQLSTATE [42000]:语法错误或访问冲突:1064您有   SQL语法错误;查看与您的手册相对应的手册   MariaDB服务器版本,用于在&#39; 0&#39; 0附近使用正确的语法,5&#39;在   第1行&#39;在/home/rnywimzk/public_html/tutorials_subdomain/index.php:38   堆栈跟踪:#0   /home/rnywimzk/public_html/tutorials_subdomain/index.php(38):   抛出PDOStatement-&gt; execute()#1 {main}   第38行/home/rnywimzk/public_html/tutorials_subdomain/index.php

1 个答案:

答案 0 :(得分:1)

1 / 我不认为这是一个很好的合成器:

fixed

你可能意味着:

$query = $connect->prepare("SELECT * FROM tutorials 
    ORDER BY id DESC LIMIT :starting_limit , $paglimit");

2 / 您必须指定$query = $connect->prepare("SELECT * FROM tutorials ORDER BY id DESC LIMIT $paglimit OFFSET :starting_limit"); PDOStatement::bindParam参数,默认情况下为$data_type

http://php.net/manual/en/pdostatement.bindparam.php

在您的情况下,PDO::PARAM_STR的类型应为starting_limit

更改:

PDO::PARAM_INT

致:

$query->bindParam(":starting_limit", $starting_limit);
相关问题
最新问题