[英]What PHP function should I use to call the id of a dynamic page?
I'm creating a news website, and want to create a dynamic PHP page that will have the header and footer, and get the content itself (title and text) from the database by calling the article's id via the URL(like 'article.php?id=1'), so that there is no need for creating a new file for each article. 我正在创建一个新闻网站,并希望创建一个具有页眉和页脚的动态PHP页面,并通过URL(如“ article”)调用文章的ID,从数据库中获取内容本身(标题和文本)。 php?id = 1'),因此无需为每篇文章创建一个新文件。 However, I don't know what function should I use to make that work.
但是,我不知道应该使用什么功能来实现该功能。 Currently, the code is like this:
当前,代码是这样的:
<?php
include "header.php";
$query = "SELECT title_article, subtitle_article, content_article FROM tb_article WHERE id_tb_article = 1";
$conn = mysqli_connect('127.0.0.1:3307', 'root', '', 'article') or die("error");
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
// output data of each row
while($row = mysqli_fetch_assoc($result)) {
echo "<div class='titlediv'><h1 class='title'>" . $row["title_article"]. "</h1></div><div class='titlediv'><h3 class='title'>". $row["subtitle_article"]. "</h3></div><div class='textdiv'><p class='text'>" . $row["content_article"]. "</p></div><br>";
}
} else {
echo "Article not found";
}
include "footer.php";
?>
To get the id
value from query string in URL, you can use the PHP's superglobal $_GET['id']
. 要从URL中的查询字符串获取
id
值,可以使用PHP的超全局变量$_GET['id']
。
To select a dynamic value from SQL using this value you must use prepared statements with parameter binding. 要使用此值从SQL中选择动态值,必须使用带参数绑定的预备语句。
Your code with all the fixes would look more or less like this: 具有所有修复程序的代码或多或少看起来像这样:
<?php
include "header.php";
$query = "SELECT title_article, subtitle_article, content_article FROM tb_article WHERE id_tb_article = 1";
// Enable mysqli error reporting and NEVER die()
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$conn = new mysqli('127.0.0.1:3307', 'root', '', 'article');
$conn->set_charset('utf8mb4'); // You should always specify the correct charset, which most of the time should be utf8mb4
// prepare -> bind -> execute -> get result
$stmt = $conn->prepare('SELECT title_article, subtitle_article, content_article
FROM tb_article
WHERE id_tb_article = ? ');
$stmt->bind_param('i', $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows) {
// output data of each row
foreach ($result as $row) {
echo "<div class='titlediv'><h1 class='title'>" . htmlspecialchars($row["title_article"]). "</h1></div>";
echo "<div class='titlediv'><h3 class='title'>". htmlspecialchars($row["subtitle_article"]). "</h3></div>";
echo "<div class='textdiv'><p class='text'>" . htmlspecialchars($row["content_article"]). "</p></div><br>";
}
} else {
echo "Article not found";
}
include "footer.php";
Whenever output values into HTML context always do it via htmlspecialchars
每当将值输出到HTML上下文中时,始终通过
htmlspecialchars
You can use a GET method and the url look like 'article.php?id=2'. 您可以使用GET方法,其网址类似于“ article.php?id = 2”。
<?php
include "header.php";
//use GET to get the id
$id = $_GET["id"];
// use .$id to concat to the query
$query = "SELECT title_article, subtitle_article, content_article FROM tb_article WHERE id_tb_article = ".$id;
$conn = mysqli_connect('127.0.0.1:3307', 'root', '', 'article') or die("error");
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
// output data of each row
while($row = mysqli_fetch_assoc($result)) {
echo "<div class='titlediv'><h1 class='title'>" . $row["title_article"]. "</h1></div><div class='titlediv'><h3 class='title'>". $row["subtitle_article"]. "</h3></div><div class='textdiv'><p class='text'>" . $row["content_article"]. "</p></div><br>";
}
} else {
echo "Article not found";
}
include "footer.php";
?> ?>
You want to look at the global variables $_GET and $_POST. 您想查看全局变量$ _GET和$ _POST。 In your example ('article.php?id=1') you will find the value of 'id' in $_GET['id'].
在示例('article.php?id = 1')中,您将在$ _GET ['id']中找到'id'的值。
URL: article.php?id=42 网址:article.php?id = 42
echo $_GET['id']; // Outputs 42
Remember that anyone can change that value in the URL and even injecting malicious queries into your query. 请记住,任何人都可以在URL中更改该值,甚至可以将恶意查询注入到您的查询中。 Its better to at least cast your id to an integer first and use always mysqli_real_escape_string() for URL given variables in the query.
最好至少将您的id首先转换为整数,并始终对查询中给定的URL使用mysqli_real_escape_string()作为URL更好。
URL: article.php?id=42;DROP TABLE tb_article 网址:article.php?id = 42; DROP TABLE tb_article
echo $_GET['id']; // Outputs "42;DROP TABLE tb_article", would delete your table when used directly
// Convert to an integer value
$id = intval($_GET['id']); // Returns 42
$query = "... FROM tb_article WHERE id_tb_article = ".mysqli_real_escape_string($id);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.