2017-07-06 39 views
1

美好的一天, 我是PHP/MySQL的新手,尝试从ajax发送请求,并在具有多个参数的数据库中选择一行。 这是做这件事的好方法吗?选择具有多个参数的行(ajax和PHP)

AJAX(jQuery的):

function readLine(name, firstname) { 
$.ajax({ 
     type: "post", 
     url: "./php/readLine.php", 
     dataType: 'json', 
     data: { name: name, firstname: firstname }, 
     success: function(data) { 
     console.log(data); 
     } 
     error: function(data) { 
     console.log("An error occured!"); 
     } 
}); 
} 

PHP:

<?php 
$sql = "SELECT * FROM table1 WHERE firstname=".intval($_POST['firstname'])." AND name=".intval($_POST['name']); 
$con = mysqli_connect("localhost", "root", "", "myDB"); 
if (!$con) { 
    die("Connection failed: " . mysqli_error($con)); 
} 
$result = mysqli_query($con, $sql); 
$to_encode = array(); 
while($row = mysqli_fetch_array($result, MYSQLI_NUM)){ 
    $to_encode[] = $row; 
} 
echo json_encode($to_encode); 
mysqli_close($con); 
?> 

感谢您的帮助。

+3

对不起,但这是最糟糕的做法。您对***注入攻击持开放态度。研究'准备好声明'以获得更好的方法 –

+0

'name'和'firstname'是字符串...所以我想我不应该在我的PHP代码中使用'intval'...但是我应该使用什么呢? – EricF

回答

1

首先,您应该使用prepared statements而不是,因为目前该代码易受SQL注入攻击。我无法强调这一点,攻击者可以用你目前拥有的代码来破坏你的数据库。

您应该使用类似于以下内容的东西(取自上面链接的页面,并在同一页面上取this comment)。请注意,我已将intval调用移除到您的POST数据,因为我认为它们是字符串而不是整数。

$to_encode = array(); 
$mysqli = new mysqli("localhost", "root", "password", "myDB"); 

/* check connection */ 
if (mysqli_connect_errno()) { 
    printf("Connect failed: %s\n", mysqli_connect_error()); 
    exit(); 
} 

/* create a prepared statement */ 
if ($stmt = $mysqli->prepare("SELECT * FROM table1 WHERE firstname=? AND name=?")) { 

    /* bind parameters for markers */ 
    $stmt->bind_param("ss", $_POST['firstname'], $_POST['name']); 

    /* execute query */ 
    $stmt->execute(); 

    /* instead of bind_result: */ 
    $result = $stmt->get_result(); 

    /* now you can fetch the results into an array - NICE */ 
    while ($myrow = $result->fetch_assoc()) { 

     // use your $myrow array as you would with any other fetch 
     $to_encode[] = $myrow; 

    } 

    /* close statement */ 
    $stmt->close(); 
} 

/* close connection */ 
$mysqli->close(); 

echo json_encode($to_encode); 
1

您可以使用带有预处理语句的PDO来做到这一点,这将确保用户输入安全。像这样:

try { 
    $db = new PDO('mysql:dbname=db_name;host=localhost', 'db_user', 'db_password'); 
} catch (PDOException $e) { 
    die('Connection failed: ' . $e->getMessage()); 
} 

$sql = "SELECT * FROM table1 WHERE firstname=:firstname AND name=:name"; 
$stmt = $db->prepare($sql); 
$stmt->bindParam(':firstname', $_POST['firstname'], PDO::PARAM_STRING); 
$stmt->bindParam(':name', $_POST['name'], PDO::PARAM_STRING); 
$stmt->execute(); 
$result = $stmt->fetchAll(); 

echo json_encode($result); 

将前5行移入包含,那么您只需要一次该代码。

0
$stmt = $con->prepare("SELECT * FROM table1 WHERE name=? and firstname=?"); 
$stmt->bind_param($name ,$firstname); 

// set parameters and execute 
$firstname = mysqli_real_escape_string($con, $_POST['firstname']); 
$name = mysqli_real_escape_string($con, $_POST['name']); 
$stmt->execute(); 
$stmt->bind_result($to_encode); 

$stmt->fetch(); 

echo json_encode($to_encode); 
+0

使用预准备语句时,您不需要'mysqli_real_escape_string',它可以为您做到这一点。 – crazyloonybin