堆栈内存溢出
  简体   繁体   English

mysql_num_rows如何在mysqli中使用?

[英]How mysql_num_rows use in mysqli?

 原文  2013-10-02 05:56:47       php/ mysqli

问题描述

I have search query mysql, but because of SQL INJECTION I changed my code into MySqli. 我有搜索查询mysql,但由于SQL INJECTION我将我的代码更改为MySqli。 I used 我用了

if(mysql_num_rows($result)>= 1)

before and I changed it into 之前我把它改成了

if(($result->num_rows)>= 1)

My problem is even there are match value in query, it always echo no results. 我的问题是,即使在查询中有匹配值,它总是回显没有结果。 Why is that? 这是为什么? 

<?php
$mysqli = new mysqli("localhost", "root", "", "app");
$result = $mysqli->query="SELECT *,SUM(unit_cost*quantity) AS total_amount FROM procurement WHERE counter LIKE '%".$search."%' 
OR item_description LIKE '%".$search."%' OR fund_source LIKE '%".$search."%' OR quantity LIKE '%".$search."%' OR mode_of_procurement LIKE '%".$search."%' 
OR division LIKE '%".$search."%' OR section LIKE '%".$search."%' GROUP BY counter";

if(($result->num_rows)<= 0){
echo "</br><div style='margin:0 auto;background:#fff;padding:3px;color:#2086e4;font-size:11px;font-weight:bold;text-align:center;'>
No Result for :<font color='red' style='text-transform:uppercase'>&nbsp; &nbsp;".$search."</div>";

//echo 'No Result for <font color="red">'.$search.'</font>';
}
if(($result->num_rows)>= 1){
echo'</br><div style="margin:0 auto;background:#fff;padding:3px;color:#2086e4;font-size:11px;font-weight:bold;text-align:center;">
Result for :<font color="red" style="text-transform:uppercase">&nbsp; &nbsp;'.$search.'</font></div>';
    echo"<div id='id3' style='margin-top:10px;'><table id='tfhover' class='tftable' border='1 style='text-transform:uppercase;'>
        <thead>
        <tr>
        <th></th><th>Item Description</th>
        <th>Fund Source</th>
        <th>Unit</th>
        <th>Unit Cost</th>
        <th>Quantity</th>
        <th>Total Amount</th>
        <th>Mode of Procurement</th>
        <th>Supplier</th>
        <th>P.O #</th>
        <th>P.O Date</th>
        <th>Division</th>
        <th>Section</th>
        </tr></thead><tbody>";

    while($row = $result->fetch_assoc()){
echo'<tr>
        <td><a href="'.$_SERVER['PHP_SELF'].'?pn='.$row["counter"].'" onclick="return confirm(\'Really want to delete?\');"><img src="images/del.png" border"0" width="15" height="15"></a></td>
        <td>'.$row['item_description'].'</td>
        <td>'.$row['fund_source'].'</td>
        <td>'.$row['unit'].'</td>
        <td>'.$row['unit_cost'].'</td>
        <td>'.$row['quantity'].'</td>
        <td>'.$row['total_amount'].'</td>
        <td>'.$row['mode_of_procurement'].'</td>
        <td>'.$row['supplier'].'</td>
        <td>'.$row['po_number'].'</td>
        <td>'.$row['po_date'].'</td>
        <td>'.$row['division'].'</td>
        <td>'.$row['section'].'</td></tr></tbody>';
}
}
else{
}
?>

3 个解决方案

解决方案1
 2  2013-10-02 06:01:09

You are setting a query property on the $mysqli object, instead of calling the query() method . 您正在$mysqli对象上设置query属性,而不是调用query() 方法 Use 采用 

$result = $mysqli->query("some sql");

instead. 代替。

Furthermore, using any database module this way can (and probably will) result in SQL injections. 此外,以这种方式使用任何数据库模块都可以(并且可能会)导致SQL注入。 You are still building a query string by string concatenation; 您仍在按字符串连接构建查询字符串; whether it's mysql , mysqli or something else, by this route you will always have SQL injection vulnerabilities. 无论是mysqlmysqli还是其他东西,通过这条路线你总会有SQL注入漏洞。

解决方案2
 1  2013-10-02 06:08:11

You just managed to get EVERYTHING wrong. 你只是设法弄错了一切。

First of all, you didn't make your code any secure. 首先,您没有使您的代码安全。 "Mysqli" is not a magic chant that makes everything safe just by its presence. “Mysqli”不是一个神奇的颂歌,只是通过它的存在使一切安全。 To make your code secure you have to use prepared statements 为了确保您的代码安全,您必须使用预准备语句

Second, you don't need no number of rows at all. 其次,您根本不需要任何行数。 You should quit that old dirty approach of mixing HTML with SQL and learn to use some templates . 你应该放弃将HTML与SQL混合的旧方法,并学习使用一些模板 With templates you will need no dedicated function to know if you get any rows at all. 使用模板,您无需专用功能即可知道是否有任何行。

解决方案3
 0  2014-01-20 10:31:45

step1: echo it like: step1:回声如下: 

echo $result = $mysqli->query="SELECT *,SUM(unit_cost*quantity) AS total_amount FROM procurement WHERE counter LIKE '%".$search."%' 
OR item_description LIKE '%".$search."%' OR fund_source LIKE '%".$search."%' OR quantity LIKE '%".$search."%' OR mode_of_procurement LIKE '%".$search."%' 
OR division LIKE '%".$search."%' OR section LIKE '%".$search."%' GROUP BY counter";

comnt all other lines and run, copy the output and paste into your sql area of phpmyadmin. comnt所有其他行并运行,复制输出并粘贴到phpmyadmin的sql区域。 if it display any result means the problem related with numrow condition only. 如果显示任何结果,则表示仅与numrow条件相关的问题。 before that make sure u have data to display for the condition. 在此之前,请确保您有条件显示数据。 (if dar is no output in SQL and u have data to display for your search key, problem with your SQL fetch statement in PHP) (如果dar在SQL中没有输出,并且您有要为搜索键显示的数据,则PHP中的SQL提取语句出现问题)

2:now change echo from first and add it into numnow obj like: echo $xxx=$result->num_rows; 2:现在改变第一个回声并将其添加到numnow obj中,如: echo $xxx=$result->num_rows; do the same procedure 做同样的程序 

if($xxx==0) {Action 1} 
elseif($xxx>=1){Action 2}
else{Action 3}

Happy coding 快乐的编码

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 对两个表使用mysql_num_rows - use mysql_num_rows for two tables 如何使用PDO获取mysql_num_rows? - How to get mysql_num_rows with PDO? 如何打印mysql_num_rows? - how to print mysql_num_rows? 将mysql_num_rows更新为新的Mysqli标准:mysqli_stmt_num_rows - update mysql_num_rows to new Mysqli standard: mysqli_stmt_num_rows MySQL mysql_num_rows(); - MySQL mysql_num_rows(); mysql_num_rows的问题 - problem with mysql_num_rows mysql_num_rows()错误 - mysql_num_rows() error Mysql_num_rows()问题 - Mysql_num_rows() issues mysql_num_rows错误 - mysql_num_rows error mysql_num_rows和条件 - mysql_num_rows and condition
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM