[英]SQL query by if(!empty($_GET for Wordpress
I need to do a query for a wordpress plugin but I can't figure it out by mayself. 我需要查询wordpress插件,但无法自行解决。 I want to limit post by category ids and if not any category was given, than show all post.
我想按类别ID来限制发布,如果没有给出任何类别,则要显示所有发布。 My sql is:
我的SQL是:
$sql = "
SELECT $wpdb->posts.ID, $wpdb->posts.post_title, $wpdb->posts.post_content, $wpdb->posts.post_excerpt, $wpdb->posts.post_name
FROM $wpdb->posts
LEFT JOIN $wpdb->term_relationships ON
($wpdb->posts.ID = $wpdb->term_relationships.object_id)
LEFT JOIN $wpdb->term_taxonomy ON
($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id)
WHERE $wpdb->posts.post_status = 'publish'
AND $wpdb->posts.post_type = 'product'
AND $wpdb->term_taxonomy.taxonomy = 'product_cat'".
if(!empty($_GET["category"])) {
"AND $wpdb->term_taxonomy.term_id = '".htmlspecialchars($_GET["category"])."'".
}
"ORDER BY post_date DESC";
As you can understand, I'm trying to get category id by url like &category=12 but thats giving me a blank page (no errors or like) could you guys help me with that? 如您所知,我正在尝试通过类似于&category = 12的url获取类别ID,但这就是给我一个空白页(没有错误或类似内容),你们可以帮我吗?
You cannot concatenate statements into expressions . 您不能将语句连接成表达式 。 You can only concatenate expressions , so you'll have to use a ternary:
您只能连接表达式 ,因此必须使用三元数:
"AND $wpdb->term_taxonomy.taxonomy = 'product_cat'".
(!empty($_GET['category']) ?
"AND $wpdb->term_taxonomy.term_id = '". htmlspecialchars($_GET["category"]) . "'" : '')
. "rest of query";
But really, this isn't the way to query the DB (it's massively unsafe... honestly) and it's messy, and hellish to maintain, and you're not checking isset
on the $_GET
params. 但是,实际上,这不是查询数据库的方法(这是非常不安全的……坦白地说) ,它很杂乱,难以维护, 并且您没有检查
$_GET
参数上的isset
。
Basically, everything that can (and likely should) contain a semi-colon, is a statement: 基本上,所有可以(并且可能应该)包含分号的内容都应声明:
$foo = "bar";//statement
This simple assignment statement falls consists of several expressions , of which "bar"
is one. 这个简单的赋值语句由几个表达式组成,其中
"bar"
是其中之一。 This statement also happens to be an expression, but that's not the point. 该语句也恰好是一个表达式,但这不是重点。 The point is that:
关键是:
if ($condition)
{
//STATEMENT(S)
}
is not an expression, so it can't be incorporated into a single statement (like in your case, an the assignmend of a query string to a variable called $sql
). 不是表达式,因此不能将其合并到单个语句中(例如,在您的情况下,将查询字符串的赋值给名为
$sql
的变量)。
Warning 警告
Your query is, as others have pointed out, vulnerable to injection . 正如其他人指出的那样,您的查询很容易受到注入的影响 。 WP allows you to use prepared statements , and you really should do so:
WP允许您使用准备好的语句 ,您确实应该这样做:
$id = $_POST['some_value'];//check isset first, of course
$wpdb->query(
$wpdb->prepare(
'SELECT foo FROM bar WHERE id = %d',
$id
)
);
You can't put an if in the middle of a string. 您不能将if放在字符串中间。 You can use the concatenating assignment operator to add to the
$sql
variable. 您可以使用串联分配运算符将其添加到
$sql
变量中。
$sql = "SELECT $wpdb->posts.ID, $wpdb->posts.post_title, $wpdb->posts.post_content, $wpdb->posts.post_excerpt, $wpdb->posts.post_name
FROM $wpdb->posts
LEFT JOIN $wpdb->term_relationships ON
($wpdb->posts.ID = $wpdb->term_relationships.object_id)
LEFT JOIN $wpdb->term_taxonomy ON
($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id)
WHERE $wpdb->posts.post_status = 'publish'
AND $wpdb->posts.post_type = 'product'
AND $wpdb->term_taxonomy.taxonomy = 'product_cat'";
if(!empty($_GET["category"])) {
$sql .= " AND $wpdb->term_taxonomy.term_id = '".htmlspecialchars($_GET["category"], ENT_QUOTES)."'";
}
$sql .= " ORDER BY post_date DESC";
I also added the ENT_QUOTES
flag to htmlspecialchars() to translate single quotes into '
我还将
ENT_QUOTES
标志添加到htmlspecialchars()中,以将单引号转换为'
. 。 This would add protection from injections, not allowing people to put a single quote in and inject their own query.
这将增加对注入的保护,不允许人们使用单引号和注入自己的查询。
Prepared Statements 准备的陈述
Look at Elias' answer on using prepared statements with Wordpress. 看看Elias关于在Wordpress中使用准备好的语句的答案。 Prepared statements are much safer than relying on any in place function to validate input.
与依靠任何就地函数来验证输入相比,准备好的语句要安全得多。
Thanks for all affords. 感谢所有的负担。 @Devon's code worked very well.
@Devon的代码效果很好。 By the way, I'm editing XML Export script for Wordpress's Woocommerce plugin.
顺便说一下,我正在为Wordpress的Woocommerce插件编辑XML导出脚本。
Original plugin link is: https://wordpress.org/plugins/beslist-xml-feed-voor-woocommerce/ 原始插件链接为: https : //wordpress.org/plugins/beslist-xml-feed-voor-woocommerce/
And you can download edited version of this plugin here: https://github.com/eXspet/beslist-xml-edited 您可以在这里下载此插件的编辑版本: https : //github.com/eXspet/beslist-xml-edited
What I've changed: 我改变了什么:
<kur>USD</kur>
<kur>USD</kur>
来显示默认货币 I'm not a coder, so I don't know much about security, If you notice any security open in this plugin, please let me know. 我不是编码员,所以我对安全性了解不多。如果您发现此插件中有任何安全性开放,请告诉我。 Thanks everyone, again.
再次感谢大家。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.