我使用Prepared Statements构建了以下分页php脚本,但是我需要您的反馈,因为我对如何进行2个Sql查询感到困惑。请注意query_1和query_2。我为选择_1创建了3个不同的查询,却不知道要使用哪个查询,这让我选择众多。
1. $query_1 = "SELECT COUNT(*) FROM notices WHERE recipient_username = ?
AND sender_username = ?";
2. $query_1 = "SELECT COUNT(*) FROM notices WHERE recipient_username = ?
AND sender_username = ? ORDER BY id LIMIT ? OFFSET ?";
3. $query_1 = "SELECT COUNT(*) FROM notices WHERE recipient_username = ?
AND sender_username = ? ORDER BY id LIMIT ?";
Q1。我需要在第一个查询或query_1中使用LIMIT&OFFSET吗?如果是这样,那么哪个选项是正确的? 2还是3?
Q2。我的第二个查询或query_2正常吗?
$query_2 = "SELECT
id,date_and_time,recipient_username,sender_username,notice FROM notices
WHERE recipient_username = ? AND sender_username = ? ORDER BY id LIMIT ?
OFFSET ?";
为方便起见,以下是完整脚本。请完整检查后再回复。如果发现其他错误,请告诉我。
谢谢!
脚本:
<?php
//Required PHP Files.
include 'header_account.php'; //Required on all webpages of the Site.
?>
<?php
if (!$conn)
{
$error = mysqli_connect_error();
$errno = mysqli_connect_errno();
print "$errno: $error\n";
exit();
}
else
{
//Get the Page Number. Default is 1 (First Page).
$page_number = $_GET["page_number"];
if ($page_number == "")
{
$page_number = 1;
}
$sender_username = $social_network_admin_username;
$recipient_username = $user;
$links_per_page = 1;
$max_result = 100;
//$offset = ($page_number*$links_per_page)-$links_per_page;
$offset = ($page_number-1)*$links_per_page;
//$query_1 = "SELECT COUNT(*) FROM notices WHERE recipient_username = ? AND sender_username = ?";
//$query_1 = "SELECT COUNT(*) FROM notices WHERE recipient_username = ? AND sender_username = ? ORDER BY id LIMIT ? OFFSET ?";
$query_1 = "SELECT COUNT(*) FROM notices WHERE recipient_username = ? AND sender_username = ? ORDER BY id LIMIT ?";
$stmt_1 = mysqli_prepare($conn,$query_1);
//mysqli_stmt_bind_param($stmt_1,'ss',$recipient_username,$sender_username);
//mysqli_stmt_bind_param($stmt_1,'ssii',$recipient_username,$sender_username,$links_per_page,$offset);
mysqli_stmt_bind_param($stmt_1,'ssi',$recipient_username,$sender_username,$links_per_page);
mysqli_stmt_execute($stmt_1);
$result_1 = mysqli_stmt_bind_result($stmt_1,$matching_rows_count);
mysqli_stmt_fetch($stmt_1);
mysqli_stmt_free_result($stmt_1);
$total_pages = ceil($matching_rows_count/$links_per_page);
$query_2 = "SELECT id,date_and_time,recipient_username,sender_username,notice FROM notices WHERE recipient_username = ? AND sender_username = ? ORDER BY id LIMIT ? OFFSET ?";
$stmt_2 = mysqli_prepare($conn,$query_2);
mysqli_stmt_bind_param($stmt_2,'ssii',$recipient_username,$sender_username,$links_per_page,$offset);
mysqli_stmt_execute($stmt_2);
$result_2 = mysqli_stmt_bind_result($stmt_2,$id,$date_and_time,$recipient_username,$sender_username,$notice);
mysqli_stmt_fetch($stmt_2);
?>
<!DOCTYPE html>
<html>
<head>
<meta content="text/html; charset=ISO-8859-1" http-equiv=" content-type">
<title><?php echo "$site_name User $user Notices in $server_time time."; ?></title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<br>
<p align="center"><span style="font-weight:bold;"><?php echo "$site_name User $user Notices in $server_time time."; ?></span></align>
<br>
<br>
<table width="1500" border="0" cellpadding="5" cellspacing="2" bgcolor="#666666">
<?php if(!$stmt_2)
{
?>
<tr>
<td bgcolor="#FFFFFF">No record found! Try another time.</td>
</tr>
<?php
}
else
{
if(($offset+1)<=$max_result)
{
printf("<b> %d Result Found ...</b>\n",$matching_rows_count); ?><br>
<br>
<tr name="headings">
<td bgcolor="#FFFFFF" name="column-heading_submission-number">Submission Number</td>
<td bgcolor="#FFFFFF" name="column-heading_logging-server-date-and-time">Date & Time in <?php echo "$server_time" ?></td>
<td bgcolor="#FFFFFF" name="column-heading_recipient-username">To</td>
<td bgcolor="#FFFFFF" name="column-heading_sender-username">From</td>
<td bgcolor="#FFFFFF" name="column-heading_notice">Notice</td>
</tr>
<tr name="user-details">
<td bgcolor="#FFFFFF" name="submission-number"><?php printf("%s",$id); ?></td>
<td bgcolor="#FFFFFF" name="logging-server-date-and-time"><?php printf("%s",$date_and_time); ?></td>
<td bgcolor="FFFFFF" name="column-heading_recipient-username"><?php printf("%s",$recipient_username); ?></td>
<td bgcolor="#FFFFFF" name="column-heading_sender-username"><?php printf("%s",$sender_username); ?></td>
<td bgcolor="#FFFFFF" name="notice"><?php printf("%s",$notice); ?></td>
</tr>
<?php
//Use this technique: http://php.net/manual/en/mysqli-stmt.fetch.php
while(mysqli_stmt_fetch($stmt_2))
{
?>
<tr name="user-details">
<td bgcolor="#FFFFFF" name="submission-number"><?php printf("%s",$id); ?></td>
<td bgcolor="#FFFFFF" name="logging-server-date-and-time"><?php printf("%s",$date_and_time); ?></td>
<td bgcolor="#FFFFFF" name="recipient-username"><?php printf("%s",$recipient_username); ?></td>
<td bgcolor="#FFFFFF" name="sender-username"><?php printf("%s",$sender_username); ?></td>
<td bgcolor="#FFFFFF" name="notice"><?php printf("%s",$notice); ?></td>
</tr>
<?php
}
?>
<tr name="pagination">
<td colspan="10" bgcolor="#FFFFFF"> Result Pages:
<?php
if($page_number<$total_pages)
{
for($i=1;$i<=$total_pages;$i++) //Show Page Numbers in Serial Order. Eg. 1,2,3.
echo "<a href=\"{$_SERVER['PHP_SELF']}?user=$user&page_number={$i}\">{$i}</a> ";
?><br>
<?php echo "$total_pages"; //DELETE
}
else
{
for($i=$total_pages;$i>=1;$i--) //Show Page Numbers in Reverse Order. Eg. 3,2,1.
echo "<a href=\"{$_SERVER['PHP_SELF']}?user=$user&page_number={$i}\">{$i}</a> ";
?><br>
<?php echo "$total_pages"; //DELETE
}
?>
</td>
</tr>
<?php
}
}
?>
</table>
<br>
<br>
<p align="center"><span style="font-weight:bold;"><?php echo "$site_name User $user Notices in $server_time time."; ?></span></align>
<br>
</div>
<br>
</body>
</html>
<?php
//Free Result Set.
mysqli_stmt_free_result($stmt_2);
//Close Statement Connection.
mysqli_stmt_close($stmt_2);
//Close Database Connection.
mysqli_close($conn);
}
?>
<?php
include 'footer_account.php'; //Required on all webpages of the Site.
?>
编辑: 根据Aynbar的回复,我现在将第一个查询更改为:
$query_1 = "SELECT COUNT(*) FROM notices WHERE
recipient_username = ? AND sender_username = ?";
并保持第二个查询如下:
$query_2 = "SELECT
id,date_and_time,recipient_username,sender_username,notice FROM
notices WHERE recipient_username = ? AND sender_username = ?
ORDER BY id LIMIT ? OFFSET ?";
最后,您是否认为脚本的其余部分在任何地方都没有缺陷?如果是这样,那么我可以在我的网站上使用它。您认为它足以成为sql注入证明吗?我想要你的意见。