[英]Why doesn't this SQL command work?
我无法弄清楚为什么这个sql查询不能正常工作,为什么它不能被URL关键字过滤。
这是我的代码:
include("menujednoty.php");
$hostname="localhost";
$username="kintrogorgo";
$password="password";
$keyword = $_GET['a.tovar'];
$db = "jednoty";
$dbh = new PDO("mysql:host=$hostname;dbname=$db", $username, $password);
foreach($dbh->query ('SELECT a.tovar ,
( select sum(b.kusy) from jednotypredaj as b where b.tovar=a.tovar and b.co="prijem" ) as prijem_ks,
( select sum(c.kusy) from jednotypredaj as c where c.tovar=a.tovar and c.co="predaj" ) as predaj_ks, kod
FROM jednotypredaj WHERE
(a.tovar LIKE '%$keyword%' ) as a GROUP BY a.tovar ORDER by a.tovar ASC') as $row)
{
echo "<tr>";
echo "<td>" . $row['tovar'] . "</td>";
echo "<td>" . $row['prijem_ks']. "</td>"; //Tu by mali bit predane kusy
echo "<td>" . $row['predaj_ks'] . "</td>";
echo "<td>" . $row['kod'] . "</td>";
echo "<td>" . ($row['predaj_ks']-$row['prijem_ks'] . "</td>");
echo "<td>" . (100/$row['prijem_ks']*$row['predaj_ks'] . "</td>");
echo '<td><a href="3edit.php?tovar=' . $row['tovar'] . '">Zobraziť</a></td>';
//echo '<td><a href="3test.php?tovar=' . $row['tovar'] . '">In Development</a></td>';
//echo '<td><a href="3testtest.php?tovar=' . $row['tovar'] . '">In Development 2</a></td>';
引号破坏了SQL语法,将其重写为准备好的语句以使其更容易:
$stmt = $dbh->prepare('SELECT a.tovar ,
( select sum(b.kusy) from jednotypredaj as b
where b.tovar=a.tovar and b.co=:received ) as prijem_ks,
( select sum(c.kusy) from jednotypredaj as c
where c.tovar=a.tovar and c.co=:paid ) as predaj_ks, kod
FROM jednotypredaj WHERE
(a.tovar LIKE :keyword ) as a
GROUP BY a.tovar ORDER by a.tovar ASC');
$stmt->execute(array('received' => 'prijem','paid' => 'predaj','keyword' => $keyword));
foreach ($stmt as $row) {
echo "<tr>";
echo "<td>" . $row['tovar'] . "</td>";
...
重新考虑您的SQL语句,因为您可以运行相关的子查询或条件聚合。 另外,您的表别名a
在WHERE
子句之后的位置不正确:
关联子查询(使用kod
列保留单位级别的记录)
SELECT a.tovar,
(select sum(b.kusy) from jednotypredaj as b
where b.tovar=a.tovar and b.co='prijem') as prijem_ks,
(select sum(c.kusy) from jednotypredaj as c
where c.tovar=a.tovar and c.co='predaj') as predaj_ks,
a.kod
FROM jednotypredaj as a
WHERE (a.tovar LIKE '%$keyword%')
ORDER by a.tovar ASC
有条件的汇总(按汇总记录分组,不带kod
除非作为一组添加)
SELECT a.tovar,
SUM(CASE WHEN a.co='prijem' THEN a.kusy ELSE NULL END) as prijem_ks,
SUM(CASE WHEN a.co='predaj' THEN a.kusy ELSE NULL END) as predaj_ks
FROM jednotypredaj as a
WHERE (a.tovar LIKE '%$keyword%')
GROUP BY a.tovar
ORDER by a.tovar ASC
如果您的实例的ONLY_FULL_GROUP_BY设置已关闭,但不建议这样做且与ANSI-SQL不兼容,则MySQL可能在聚合查询的SELECT
子句中允许kod
,而在聚合查询的GROUP BY
子句中不允许。
如前所述,在PHP脚本中使用绑定字符串文字参数化这些查询的参数,这有助于避免引用处理和SQL注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.