当 mysqli_stmt_fetch 失败时如何检索默认行?
我有一个简单的 PHP 脚本,它根据 URL GET 参数从 MySQL 数据库中提取一行,只是一个名为 ID 的 int。
如果 GET 参数是数据库的无效 ID,例如有人输入一个不是数据库中的行的 int,或者他们尝试输入一个字符或其他内容,我想显示一条默认记录。
下面的代码实际上可以工作,但我觉得它是糟糕的代码。我只是不确定为什么,或者我应该做什么。我知道在运行数据库查询之前应该验证 ID 是否为 int,但这并不能解决使用无效 ID 的整数时该怎么做。
因此,为了使这个问题成为一个正确的问题,我应该如何从 mysqli_stmt_fetch 返回 false 中恢复?
放轻松,我知道我是个小傻瓜 :-)
$ID = (int)$_GET["id"];
$query = "SELECT `col1`, `col2`, `col3` FROM `table` WHERE `ID` = ?";
if ($stmt = mysqli_prepare($connection, $query))
{
mysqli_stmt_bind_param($stmt, "i", $ID);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
if (!mysqli_stmt_fetch($stmt))
{
$ID = 1; //A record I know exists and will always exist
mysqli_stmt_bind_param($stmt, "i", $ID);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
mysqli_stmt_fetch($stmt);
}
mysqli_stmt_close($stmt);
}
好的,通过一些反馈和实验,我在 PHP 中将 ID 转换为 int 并将 SQL 查询更改为:
SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = ?
UNION
SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = 1
LIMIT 1
这适用于我能想到的所有情况,并且似乎很安全。有什么问题吗?有比我的更好的吗?
I've got a simple PHP script that pull a row from a MySQL database based on a URL GET parameter, just an int called, say, ID.
If the GET parameter were to be an invalid ID for the database, such as someone enters an int that's not a row in the DB, or they try and enter a character or something, I'd like to display a default record.
The following code actually works, but I feel that it's bad code. I'm just not sure why, or what I should do. I know I should validate ID is an int before I run the database queries, but that doesn't solve what to do when an integer that is an invalid ID is used.
So to make this a proper question, how should I recover from mysqli_stmt_fetch returning false?
Go easy, I know I'm a nub :-)
$ID = (int)$_GET["id"];
$query = "SELECT `col1`, `col2`, `col3` FROM `table` WHERE `ID` = ?";
if ($stmt = mysqli_prepare($connection, $query))
{
mysqli_stmt_bind_param($stmt, "i", $ID);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
if (!mysqli_stmt_fetch($stmt))
{
$ID = 1; //A record I know exists and will always exist
mysqli_stmt_bind_param($stmt, "i", $ID);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $var1, $var2, $var3);
mysqli_stmt_fetch($stmt);
}
mysqli_stmt_close($stmt);
}
OK, so with some feedback and experimentation I've cast the ID as an int in PHP and changed the SQL query to this:
SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = ?
UNION
SELECT `col1`, `col2`, `col3`
FROM `table`
WHERE `ID` = 1
LIMIT 1
This works for all cases I can think of and seems to be secure. Any problems? Any better than what I had?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
首先检查传入的 $ID 中的 char 等并将其设置为永远不会作为表中 ID 的值,然后使用查询
First check incoming $ID for char and so and set it to value that never be as ID in your table, then use query
假设默认记录有一个 id,那么它可以在单个查询中完成:
只需将默认 ID 硬编码到查询字符串中即可。
Assuming the default record has an id, then it could be done in a single query:
and just hard-code the default ID into the query string.