我的php&mysql搜索引擎
这是一个简单的搜索引擎,但我决定升级这个搜索引擎,将所需产品的图像添加到结果中,所以我的问题是,第一个产品的图像将是所有其他产品的图像
这里的代码:
<?php
include ('Connections/connect.php');
// collect
if (isset($_POST['search'])) {
$searchq = $_POST['search'];
$searchq = preg_replace("#[^0-9a-z]#i", "", $searchq);
$query = mysql_query("SELECT * FROM tProduct WHERE sProduct LIKE '%$searchq%' OR sSearch LIKE '%$searchq%' OR sSort LIKE '%$searchq%'") or die("La Recherche est impossible");
$count = mysql_num_rows($query);
$result = mysql_query("SELECT * FROM tProduct WHERE sProduct LIKE '%$searchq%' OR sSearch LIKE '%$searchq%' OR sSort LIKE '%$searchq%'");
/*Afichage de L'image*/
$results = mysql_query("SELECT * FROM tProduct WHERE sProduct='$product'");
$row = mysql_fetch_row($result);
foreach($row as $results) {
$nom = $row[6];
}
$dir = "images/";
if ($row[6] == 0) {
$image_r = "images/none.png";
}
if ($row[6] != 0) {
if (file_exists($dir . $nom . ".JPEG")) {
$image_r.= $dir . $nom . ".JPEG";
}
else
if (file_exists($dir . $nom . ".jpg")) {
$image_r.= $dir . $nom . ".jpg";
}
else
if (file_exists($dir . $nom . ".jpeg")) {
$image_r.= $dir . $nom . ".jpeg";
}
}
if ($count == 0) {
$output = "Aucun Résultat Pour Cette Recherche!";
}
else {
while ($row = mysql_fetch_array($query)) {
$sProduct = $row['sProduct'];
$output.= '<div><ul><li><a target="_blanc" href="product.php?product=' . $sProduct . '" title="' . $sProduct . '"><img src="' . $image_r . '">' . $sProduct . '</a></li></ul></div>';
}
}
}
这是所有的源代码,希望我能找到一些帮助
感谢stackexchange的所有成员。
您的代码容易受到SQL注入的攻击。请使用这样的东西:
$searchq = $_POST['search'];
$searchq = preg_replace("#[^0-9a-z]#i", "", $searchq);
$escapedSearchQ = mysql_real_escape( $searchq );
$query = mysql_query( "SELECT * "
. " FROM tProduct "
. " WHERE sProduct LIKE '%" . $escapedSearchQ . "%' "
. " OR sSearch LIKE '%" . $escapedSearchQ . "%' "
. " OR sSort LIKE '%" . $escapedSearchQ . "%' "
)
or die("La Recherche est impossible")
;
OWASP在这里提供了如何编写安全PHP代码的详细信息。
您在循环之外处理图像语句。去掉第一个循环,将所有图像处理转移到第二个循环。附样品:
if (isset($_POST['search'])) {
$searchq = $_POST['search'];
$searchq = preg_replace("#[^0-9a-z]#i", "", $searchq);
$query = mysql_query("SELECT * FROM tProduct WHERE sProduct LIKE '%$searchq%' OR sSearch LIKE '%$searchq%' OR sSort LIKE '%$searchq%'") or die("La Recherche est impossible");
$count = mysql_num_rows($query);
$result = mysql_query("SELECT * FROM tProduct WHERE sProduct LIKE '%$searchq%' OR sSearch LIKE '%$searchq%' OR sSort LIKE '%$searchq%'");
/*Afichage de L'image*/
$results = mysql_query("SELECT * FROM tProduct WHERE sProduct='$product'");
// this query looks redundant. your search query should include an image since you're selecting all from that table in both cases
$dir = "images/";
if ($count == 0) {
$output = "Aucun Résultat Pour Cette Recherche!";
}
else
{
while ($row = mysql_fetch_array($query)) {
$image_r = "images/none.png";
if ($row[6] != 0) {
$nom = $row[6];
if (file_exists($dir . $nom . ".JPEG")) {
$image_r = $dir . $nom . ".JPEG";
}
else
if (file_exists($dir . $nom . ".jpg")) {
$image_r = $dir . $nom . ".jpg";
}
else
if (file_exists($dir . $nom . ".jpeg")) {
$image_r = $dir . $nom . ".jpeg";
}
}
$sProduct = $row['sProduct'];
$output.= '<div><ul><li><a target="_blanc" href="product.php?product=' . $sProduct . '" title="' . $sProduct . '"><img src="' . $image_r . '">' . $sProduct . '</a></li></ul></div>';
}
}
}
此外,mysql_functions也被弃用。您应该切换到PDO或MySQLi。