在我的PHP SQL查询中导致此错误的原因是什么?

时间:2009-05-20 04:59:49

标签: php mysql database

我的mysql php代码有问题。该代码用于使用用户输入的变量搜索数据库并显示相应的结果。例如,如果我只搜索彩色照片,则只会列出彩色照片,其中包含艺术家姓名,尺寸等。但我收到错误信息,我不明白这意味着什么。它写着:

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result,
boolean given in C:\Program Files\xampp\htdocs\results.php on line 64

这是导致问题的代码,任何人都知道为什么???

//Run the query and storee result
$result = mysqli_query($link, $query);

//Get number of rows in the result set
$number_of_rows = mysqli_num_rows ($result);

//close link to database
mysqli_close($link);

原始查询是:

//Define an SQL query to retrieve desired information
$query = "
SELECT
photos.photo_id, members.member_name, photos.photo_title, photos.photo_film,
    photos.photo_height, photos.photo_width
FROM members, photos
WHERE members.member_id = photos.member_id
";

//restict SQL query with an AND clause if a photo title has been supplied
if ($form_photo_title !="") {
    $query.= "AND photos.photo_title = '$form_photo_title' ";
}

//Restrict the SQL query with an AND clause if a member has been selected
if ($form_member_name !=0) {
    $query .= "AND members.member_name = $form_member_name ";
}

//Restrict the SQL query with an AND clause if a colour mode has been selected
if ($form_type !="") {
    $query .= "AND photo.photo_film = $form_type ";
}

//Run the query and storee result
$result = mysqli_query($link, $query);

5 个答案:

答案 0 :(得分:2)

你的mysqli_query命令将返回false。使用mysqli_error来诊断问题。

if (!mysqli_query($link, $query)) {
    printf("Errormessage: %s\n", mysqli_error($link));
}

您需要进行上述检查才能确定,但​​您的查询问题可能与此部分有关,而该部分未引用似乎是字符串值的内容:

if ($form_member_name !=0) {
    $query .= "AND members.member_name = $form_member_name ";
}

$ form_member_name至少应该用单引号括起来,但你应该肯定使用参数化语句,而不是将未经过处理的变量嵌入到你的查询中,因为你要对自己敞开大门。 SQL injection attack。这是一个修订版本,但请记住,我对mysqli有点生疏,没有你的DB就无法测试它:

$query = "
    SELECT
    photos.photo_id, members.member_name, photos.photo_title, photos.photo_film,
        photos.photo_height, photos.photo_width
    FROM members, photos
    WHERE members.member_id = photos.member_id
";

$types = "";
$params = array();

if ($form_photo_title !="") {
    $query.= "AND photos.photo_title = ? ";
    $types .= "s";
    $params[] = $form_photo_title;
}

if ($form_member_name !=0) {
    $query .= "AND members.member_name = ? ";
    $types .= "s";
    $params[] = $form_member_name;
}

if ($form_type !="") {
    $query .= "AND photo.photo_film = ? ";
    $types .= "s";
    $params[] = $form_type;
}

if (!($statement = mysqli_prepare($link, $query)))
    throw new Exception(mysqli_error($link));

// this tells the statement to substitute those question marks with each of 
// the values in the $params array. this is done positionally, so the first 
// question mark corresponds to the first element of the array, and so on. 
// the $types array is just a string with an indication of the type of the 
// value stored at each position in the array. if all three of the above 
// clauses are applied, then $types will equal "sss", indicating that the 
// first, second and third elements in $params are string types. 
// worse still, because the parameters to the query are dynamic, we can't 
// call mysqli_stmt_bind_param directly as it does not allow an array to be 
// passed, so we have to call it dynamically using call_user_func_array!
// i really hate this about mysqli.
// if all three of your above query clauses are applied, this call translates to
//     mysqli_stmt_bind_param(
//         $stmt, $types, 
//         $form_photo_title, $form_member_name, $form_type
//     );
array_unshift($values, $stmt, $types);
call_user_func_array("mysqli_stmt_bind_param", $values);

mysqli_stmt_execute($stmt);

// this instructs mysqli to assign each field in your query to each of 
// these variables for each row that is returned by mysqli_stmt_fetch(). 
// this is also positional - if you change the order or number of fields 
// in your query, you will need to update this.
mysqli_stmt_bind_result($photo_id, $member_name, $photo_title, $photo_film, $photo_height, $photo_width);

while (mysqli_stmt_fetch($stmt)) {
    // $photo_id will be reassigned to the value from the row on each 
    // loop iteration
    echo $photo_id."<br />";
}

我忘记了mysqli扩展名是什么可怕的野兽 - 如果你有权访问PDO extension,我 不能再强烈建议你学习它并改为使用它。

答案 1 :(得分:0)

您的查询有问题,它返回FALSE而不是结果集。什么是查询?

答案 2 :(得分:0)

form_member_name需要引用?

实际上,form_photo_title和{{1}}都需要properly handled来阻止SQL Injection攻击。

答案 3 :(得分:0)

我猜你试图执行的SQL有问题。在mysqli_query()命令之前将SQL打印到输出。然后获取该字符串并从mysql控制台运行它以查看是否可以执行查询。

答案 4 :(得分:0)

$query .= "AND photo.photo_film = $form_type ";

我认为一定是:

$query .= "AND photos.photo_film = $form_type ";

您错误拼写了表格名称并收到了“表格不存在”等错误。

不要忘记SQL注入。这段代码容易受到攻击。