感谢大家的帮助,我已经接近。我最终将_GET放入绑定中,而不是设置vars,但没有发现要点。我不确定要在SELECT中放入哪个答案,因此此示例具有“?”。我都尝试过。我也将bindParam更改为上面的示例(:careerID和; title)。好消息是注入无效,但坏消息是我无法单击链接查看描述。这是经过修改的代码,再次感谢您的帮助!
$conn = new PDO('mysql:host=XXXX;dbname=XXXX', 'XXXX', 'XXXX');
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Leave column names as returned by the database driver
$conn->setAttribute(PDO::ATTR_CASE, PDO::CASE_NATURAL);
// Convert Empty string to NULL
$conn->setAttribute(PDO::ATTR_ORACLE_NULLS, PDO::NULL_EMPTY_STRING);
$SQL = "SELECT *
FROM careerapplicationpost,careerapplicationjobdescription
WHERE careerapplicationpost.CareerApplicationPostID = '?'
AND careerapplicationjobdescription.JobDescriptionTitle = '?'";
$sth = $conn->prepare($SQL);
// binding parameters
$sth->bindParam(':careerId', $_GET['CareerID'], PDO::PARAM_INT, 100);
$sth->bindParam(':title', $_GET['Title'], PDO::PARAM_STR, 100);
// executing statement
$sth->execute();
$resultSet = $sth->fetchAll();
foreach ( $conn->query($SQL) as $row ) {
//setup the postings
echo "<h2>";
echo "<a href=\"/careers/view-career.php?CareerID=$row[CareerApplicationPostID]&Title=$row[JobDescription]\">$row[JobDescriptionDisplayTitle]</a><br />";
echo "</h2><hr />";
echo "<br />";
echo $row['Location'];
echo ", ";
echo $row['FullTimePartTime'];
echo "<div class=\"postedon\">Posted on ";
echo $row['PostedDate'];
echo "</div>";
echo "<br />";echo "<br />";
echo "<strong>Summary:</strong> ";
echo $row['JobDescriptionSummary'];
echo "<br />";echo "<br />";
echo $row['JobDescriptionEdited'];
echo "<div class=\"linebreak\"> </div>";
echo "<a href=\"/careers/files/DigiEmploymentApp.pdf\">Please fill out an application here.</a><br />";
echo "<div class=\"clear\"></div>";
echo "<hr />";
}
if (!$row['CareerApplicationPostID'])
{
header("Location:index.php");
exit;
}
$conn = null;
答案 0 :(得分:0)
您可以轻松修复代码:
$SQL = "SELECT *
FROM careerapplicationpost,careerapplicationjobdescription
WHERE careerapplicationpost.CareerApplicationPostID = :careerId
AND careerapplicationjobdescription.JobDescriptionTitle = :title";
$sth = $conn->prepare($SQL);
// binding parameters
$sth->bindParam(':careerId', $careerId, PDO::PARAM_INT);
$sth->bindParam(':title', $title, PDO::PARAM_STR, 100);
问题在于您传递的查询中已经在字符串变量$SQL中传递了值,因为您在""内使用了变量。
答案 1 :(得分:0)
更改此:
$SQL = "SELECT *
FROM careerapplicationpost,careerapplicationjobdescription
WHERE careerapplicationpost.CareerApplicationPostID = '$careerId'
AND careerapplicationjobdescription.JobDescriptionTitle = '$title'";
对此:
$SQL = "SELECT *
FROM careerapplicationpost,careerapplicationjobdescription
WHERE careerapplicationpost.CareerApplicationPostID = :careerId
AND careerapplicationjobdescription.JobDescriptionTitle = :title";
答案 2 :(得分:0)
只想让任何人知道访问此页面,该问题(除了错误的代码之外)是php版本的问题。在编写此代码时,我尝试了大量示例,并选择了上面的示例。花了几周的时间学习PHP之后,我发现我正在运行PHP 5.33,并且在升级到7之后,所有发布到所有示例的示例都可以使用。我最终联系了我的网络托管公司,他们在一天之内就升级了PHP,尽管如果您使用的是优质的虚拟主机,则应该可以从控制面板进行升级。对于那些学习此内容的人,请花一些时间,学习一下代码的功能以及您将需要的内容。 PDO是一个很好的工具,可以帮助您逐步使用更高级的PHP。我来这里是为了获得快速解答,但我很高兴我没有得到一个答案,因为我现在能理解代码,因为我必须自己学习它。