使用PHP从SQL检索数据

时间:2020-12-05 01:39:08

First link goes to a question I've asked concerning an issue related to the use of Heredoc syntax I am unable to fix an issue concerning an HEREDOC syntax error

第一个链接转到我询问的有关使用Heredoc语法的问题的问题我无法解决有关HEREDOC语法错误的问题

Second link goes to a question very similar to the above link Issue with heredoc and PHP

第二个链接与heredoc和PHP的上述链接问题非常类似

I'm facing a problem concerning the retrieving of data from a database in a php page. The problem is not concerned with Heredoc, the Heredoc is in the code but the problem is caused because of a sql syntax error.

我正面临着从php页面中的数据库中检索数据的问题。问题与Heredoc无关,Heredoc在代码中,但问题是由于sql语法错误引起的。

<?php
     // riceve l'identifictivo di un regista e ne restituisce il nome completo
    function get_director($director_id) {

        global $db;

        $query = 'SELECT
                people_fullname
            FROM
                people
            WHERE
                people_id = ' . $director_id;
        $result = mysql_query($query, $db) or die(mysql_error($db));

        $row = mysql_fetch_assoc($result);
        extract($row);

        return $people_fullname;
    }

    // riceve l'identificativo di un attore principale e ne restituisce il nome 
    // completo
    function get_leadactor($leadactor_id) {

        global $db;

        $query = 'SELECT
                people_fullname
            FROM
                people
            WHERE
               people_id = ' . $leadactor_id;
        $result = mysql_query($query, $db) or die(mysql_error($db));

        $row = mysql_fetch_assoc($result);
        extract($row);

        return $people_fullname;                 
    }

    // riceve l'identificativo di un tipo di film e ne restituisce la 
    //descrizione
    function get_movie($type_id) {

        global $db;

        $query = 'SELECT
                movietype_label
            FROM
                movietype
            WHERE
                movietype_id = ' . $type_id;
        $result = mysql_query($query, $db) or die(mysql_error($db));

        $row = mysql_fetch_assoc($result);
        extract($row);

        return $movietype_label;
    }

    // funziona per calcolare se un film ha generato un profitto, una perdita o è
    // in pareggio
    function calculate_differences($takings, $cost) {

        $difference = $takings - $cost;

        if ($difference < 0) {
            $color = 'red';
            $difference = '$' . abs($difference) . ' million';
        } elseif ($difference > 0) {
            $color ='green';
            $difference = '$' . $difference . ' million';
        } else {
            $color = 'blue';
            $difference = 'broke even';
        }

        return '<span style="color:' . $color . ';">' . $difference . '</span>';        
    }

    // collegamento a MYSQL
    $db = mysql_connect('localhost', 'pippo', 'pluto') or 
        die ('Unable to connect. Check your connection parameters. ');
    mysql_select_db('moviesite', $db) or die(mysql_error($db));

    // recupera le informazioni
    $query = 'SELECT
            movie_name, movie_year, movie_director, movie_leadactor,
            movie_type, movie_running_time, movie_cost, movie_takings
        FROM
            movie
        WHERE
            movie_id = ' . $_GET['movie_id'];
    $result = mysql_query($query, $db) or die(mysql_error($db));

    $row = mysql_fetch_assoc($result);
    $movie_name        = $row['movie_name'];
    $movie_director    = get_director($row['movie_director']);
    $movie_leadactor   = get_leadactor($row['movie_leadactor']);
    $movie_year        = $row['movie_year'];
    $movie_running_time = $row['movie_running_time'] .' mins';
    $movie_takings     = $row['movie_takings'] . ' million';
    $movie_cost        = $row['movie_cost'] . ' million';
    $movie_health      = $calculate_differences($row['movie_takings'],
                              $row['movie_cost']);

    // mostra le informazioni
    echo <<<ENDHTML
    <html>
        <head>
             <title>Details and Reviews for: $movie_name</title>
        </head>
        <body>
        <div style="text-align: center;">
        <h2>$movie_name</h2>
        <h3><em>Details</em></h3>
        <table cellpadding="2" cellspacing="2"
         style="width: 70%; margin-left: auto; margin-right: auto;">
        <tr>
         <td><strong>Title</strong></strong></td>
         <td>$movie_name</td>
         <td><strong>Release Year</strong></strong></td>
         <td>$movie_year</td>
         </tr><tr>
         <td><strong>Movie Director</strong></td>
         <td>$movie_director</td>
         <td><strong>Cost</strong></td>
         <td>$$movie_cost<td/>
         </tr><tr>
         <td><strong>Lead Actor</strong></td>
         <td>$movie_leadactor</td>
         <td><strong>Takings</strong></td>
         <td>$$movie_takings<td/>
         </tr><tr>
         <td><strong>Running Time</strong></td>
         <td>$movie_running_time</td>
         <td><strong>Health</strong></td>
         <td>$movie_health<td/>
        </tr>
      </table></div>
      </body>
    </html>
ENDHTML;
?>

and this is the syntax error I'm dealing with:

这是我正在处理的语法错误:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 7

您的SQL语法有错误;检查与MySQL服务器版本对应的手册,以便在第7行的''附近使用正确的语法

1 个解决方案

#1


OK, this is a quick fix. It goes very little into making the code secure or safe, but it will help this error and at least prevent one injection issue.

好的,这是一个快速修复。它使代码安全或安全很少,但它将有助于此错误,并至少防止一个注入问题。

At the top of your code you need to check if $_GET['movie_id'] isset. It would also be prudent to put a simple is_numeric check which will prevent the value in the url from being something other than a number. If the id passed is not a number (as an id should be), then it is as good as not being passed. I would likely use something more concise like a ternary statement, but this is more readable and understandable to someone new. Put something like this at the top of your script before you build and run that first query (can be before or after declaring the functions):

在代码的顶部,您需要检查$ _GET ['movie_id']是否已设置。放置一个简单的is_numeric检查也是谨慎的,它会阻止url中的值不是数字。如果传递的id不是数字(作为id应该是),那么它就像没有被传递一样好。我可能会像三元语句一样使用更简洁的东西,但这对于新的人来说更具可读性和可理解性。在构建并运行第一个查询之前(可以在声明函数之前或之后),将类似的内容放在脚本的顶部:

//if the movie id was passed in the url and is a number
if(isset($_GET['movie_id']) && is_numeric($_GET['movie_id'])){
    //get it
    $movie_id = $_GET['movie_id'];
} else {
    //stop the code and display error.
    die("Movie id not found.");
}

Then down below in the query, replace $_GET['movie_id'] with the variable $movie_id.

然后在查询下方,将$ _GET ['movie_id']替换为变量$ movie_id。

Another issue I saw is you have and will run into, $calculate_differences is a function name, not a variable. Remove the $ from before it.

我看到的另一个问题是你有并且会遇到,$ calculate_differences是一个函数名,而不是一个变量。从中删除$。

Also, you should likely check if the result from your first query there has any rows with mysql_num_rows. It is entirely possible that someone passes a movie id that doesn't exist.

此外,您应该检查第一个查询的结果是否有任何包含mysql_num_rows的行。完全有可能有人传递了不存在的电影ID。

#1


OK, this is a quick fix. It goes very little into making the code secure or safe, but it will help this error and at least prevent one injection issue.

好的,这是一个快速修复。它使代码安全或安全很少,但它将有助于此错误,并至少防止一个注入问题。

At the top of your code you need to check if $_GET['movie_id'] isset. It would also be prudent to put a simple is_numeric check which will prevent the value in the url from being something other than a number. If the id passed is not a number (as an id should be), then it is as good as not being passed. I would likely use something more concise like a ternary statement, but this is more readable and understandable to someone new. Put something like this at the top of your script before you build and run that first query (can be before or after declaring the functions):

在代码的顶部,您需要检查$ _GET ['movie_id']是否已设置。放置一个简单的is_numeric检查也是谨慎的,它会阻止url中的值不是数字。如果传递的id不是数字(作为id应该是),那么它就像没有被传递一样好。我可能会像三元语句一样使用更简洁的东西,但这对于新的人来说更具可读性和可理解性。在构建并运行第一个查询之前(可以在声明函数之前或之后),将类似的内容放在脚本的顶部:

//if the movie id was passed in the url and is a number
if(isset($_GET['movie_id']) && is_numeric($_GET['movie_id'])){
    //get it
    $movie_id = $_GET['movie_id'];
} else {
    //stop the code and display error.
    die("Movie id not found.");
}

Then down below in the query, replace $_GET['movie_id'] with the variable $movie_id.

然后在查询下方,将$ _GET ['movie_id']替换为变量$ movie_id。

Another issue I saw is you have and will run into, $calculate_differences is a function name, not a variable. Remove the $ from before it.

我看到的另一个问题是你有并且会遇到,$ calculate_differences是一个函数名,而不是一个变量。从中删除$。

Also, you should likely check if the result from your first query there has any rows with mysql_num_rows. It is entirely possible that someone passes a movie id that doesn't exist.

此外,您应该检查第一个查询的结果是否有任何包含mysql_num_rows的行。完全有可能有人传递了不存在的电影ID。