当 mysqli_stmt_fetch 失败时如何检索默认行?

发布于 2024-10-21 18:22:45 字数 1240 浏览 5 评论 0原文

我有一个简单的 PHP 脚本,它根据 URL GET 参数从 MySQL 数据库中提取一行,只是一个名为 ID 的 int。

如果 GET 参数是数据库的无效 ID,例如有人输入一个不是数据库中的行的 int,或者他们尝试输入一个字符或其他内容,我想显示一条默认记录。

下面的代码实际上可以工作,但我觉得它是糟糕的代码。我只是不确定为什么,或者我应该做什么。我知道在运行数据库查询之前应该验证 ID 是否为 int,但这并不能解决使用无效 ID 的整数时该怎么做。

因此,为了使这个问题成为一个正确的问题,我应该如何从 mysqli_stmt_fetch 返回 false 中恢复?

放轻松,我知道我是个小傻瓜 :-)

$ID = (int)$_GET["id"];

$query = "SELECT `col1`, `col2`, `col3` FROM `table` WHERE `ID` = ?";

if ($stmt = mysqli_prepare($connection, $query))
{
    mysqli_stmt_bind_param($stmt, "i", $ID);
    mysqli_stmt_execute($stmt);
    mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
    if (!mysqli_stmt_fetch($stmt))
    {   
        $ID = 1; //A record I know exists and will always exist
        mysqli_stmt_bind_param($stmt, "i", $ID);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
        mysqli_stmt_fetch($stmt);
    }
    mysqli_stmt_close($stmt);
}

好的,通过一些反馈和实验,我在 PHP 中将 ID 转换为 int 并将 SQL 查询更改为:

SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = ?
UNION
SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = 1
LIMIT 1

这适用于我能想到的所有情况,并且似乎很安全。有什么问题吗?有比我的更好的吗?

I've got a simple PHP script that pull a row from a MySQL database based on a URL GET parameter, just an int called, say, ID.

If the GET parameter were to be an invalid ID for the database, such as someone enters an int that's not a row in the DB, or they try and enter a character or something, I'd like to display a default record.

The following code actually works, but I feel that it's bad code. I'm just not sure why, or what I should do. I know I should validate ID is an int before I run the database queries, but that doesn't solve what to do when an integer that is an invalid ID is used.

So to make this a proper question, how should I recover from mysqli_stmt_fetch returning false?

Go easy, I know I'm a nub :-)

$ID = (int)$_GET["id"];

$query = "SELECT `col1`, `col2`, `col3` FROM `table` WHERE `ID` = ?";

if ($stmt = mysqli_prepare($connection, $query))
{
    mysqli_stmt_bind_param($stmt, "i", $ID);
    mysqli_stmt_execute($stmt);
    mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
    if (!mysqli_stmt_fetch($stmt))
    {   
        $ID = 1; //A record I know exists and will always exist
        mysqli_stmt_bind_param($stmt, "i", $ID);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
        mysqli_stmt_fetch($stmt);
    }
    mysqli_stmt_close($stmt);
}

OK, so with some feedback and experimentation I've cast the ID as an int in PHP and changed the SQL query to this:

SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = ?
UNION
SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = 1
LIMIT 1

This works for all cases I can think of and seems to be secure. Any problems? Any better than what I had?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

首先检查传入的 $ID 中的 char 等并将其设置为永远不会作为表中 ID 的值,然后使用查询

SELECT col1, col2, col3 FROM table WHERE ID = :id
union all 
SELECT col1, col2, col3 FROM table WHERE ID = 1 /* may :defaut_id if */
where not exist (select 1 from table WHERE ID = :id)

First check incoming $ID for char and so and set it to value that never be as ID in your table, then use query

SELECT col1, col2, col3 FROM table WHERE ID = :id
union all 
SELECT col1, col2, col3 FROM table WHERE ID = 1 /* may :defaut_id if */
where not exist (select 1 from table WHERE ID = :id)
残疾 2024-10-28 18:22:45

假设默认记录有一个 id,那么它可以在单个查询中完成:

select ...
from ...
where (id = ?) or (id = $default_id)

只需将默认 ID 硬编码到查询字符串中即可。

Assuming the default record has an id, then it could be done in a single query:

select ...
from ...
where (id = ?) or (id = $default_id)

and just hard-code the default ID into the query string.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文