我通过搜索字段从数据库中提取数据时遇到问题。我正在尝试同时保护我的搜索字段免受 Sql 注入的影响。将数据添加到我的数据库中工作正常,我认为我在安全方面做得很好。然而,提取数据似乎更难。
我想要实现的只是从这个人那里获取所有数据。我正在搜索字段中查找"Bart",因此请向我显示数据库中所有 Bart 的所有数据。
这是我的网页
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>title</title>
<link rel="stylesheet" href="style.css">
<link href='http://fonts.googleapis.com/css?family=Raleway:200' rel='stylesheet' type='text/css'>
<script src="script.js"></script>
</head>
<body>
<table class="table_form">
<form method="POST" action="test.php">
<tr>
<td>Voornaam: </td><td><input type="text" name="Voornaam"></td>
</tr>
<tr>
<td>Achternaam: </td><td><input type="text" name="Achternaam"></td>
</tr>
<tr>
<td>Adres: </td><td><input type="text" name="Adres"></td>
</tr>
<tr>
<td>Discipline: </td><td><input type="text" name="Discipline"></td>
</tr>
<tr>
<td>Graad: </td><td><input type="text" name="Graad"></td>
</tr>
<tr>
<td>Voeg toe aan databank: </td><td><input type="submit" name="Adddb" value="Bevestigen"></td>
</tr>
</form>
</table>
<table class="table_form">
<form method="POST" action="test.php">
<tr>
<td>Zoeken</td><td><input type="text" name="Voornaam" /></td>
</tr>
<tr>
<td>Bevestigen</td><td><input type="submit" name="zoeken" /></td>
</tr>
</form>
</table>
<div class="field">
<?php
require_once 'isset.php';
?>
</div>
</body>
</html>
这是 PHP
<?php
require_once 'login.php';
$db_con= new mysqli($db_host, $db_username, $db_password, $db_database);
$db_con->set_charset("utf8");
if($db_con->connect_error) die ("(" . $db_con->connect_error . " Error during connection");
if(isset($_POST['Adddb'])){
$stmt = $db_con->prepare("INSERT INTO customers (Voornaam, Achternaam, Adres, Actief, Discipline, graad) VALUES(?,?,?,NOW(),?,?)");
$stmt->bind_param("sssii",$voornaam, $achternaam, $adres, $discipline,$graad);
$voornaam = $_POST['Voornaam'];
$achternaam = $_POST['Achternaam'];
$adres = $_POST['Adres'];
$discipline = $_POST['Discipline'];
$graad = $_POST['Graad'];
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$db_con->close();
}
if(isset($_POST['zoeken'])){
$stmte = $db_con->prepare="SELECT * FROM customers WHERE Voornaam = (?)";
$stmte->bind_param("s", $zoeknaam);
$zoeknaam = $_POST['Voornaam'];
$stmte->execute();
echo $zoeknaam;
}
?>
我以为我没有拿东西是错的吗?这就是我什么都得不到的原因?
编辑------>
编辑版本如下建议: 错误消失,但没有显示结果:
<?php
require_once 'login.php';
$db_con= new mysqli($db_host, $db_username, $db_password, $db_database);
$db_con->set_charset("utf8");
if($db_con->connect_error) die ("(" . $db_con->connect_error . " Error during connection");
if(isset($_POST['zoeken'])){
$zoeknaam = $_POST['Zoek']; // declare the input here
$stmte = $db_con->prepare("SELECT * FROM customers WHERE Voornaam = ?");
$stmte->bind_param("s", $zoeknaam); // then use inside here
$stmte->execute();
$rows = $stmte->num_rows;
for($i=0; $i < $rows; $i++){
$row=mysqli_fetch_array($stmte, MYSQLI_ASSOC);
echo $row['Voornaam'] . '<br/>';
}
/*if($stmte->num_rows > 0) {
$results = $stmte->get_result();
while($row = $results->fetch_assoc()) {
echo $row['Achternaam'] . '<br/>';
// and other columns
}*/
}
?>
您应该使用 ->get_result()
正确获取结果。之后,您将能够使用 ->fetch_assoc()
.例:
$zoeknaam = $_POST['Voornaam']; // declare the input here
$stmte = $db_con->prepare("SELECT * FROM customers WHERE Voornaam = ?");
$stmte->bind_param("s", $zoeknaam); // then use inside here
$stmte->execute();
if($stmte->num_rows > 0) {
$results = $stmte->get_result();
while($row = $results->fetch_assoc()) {
echo $row['Voornaam'] . '<br/>';
echo $row['Achternaam'] . '<br/>';
// and other columns
}
}
如果不幸的是,您的环境中没有mysqlnd
(如果->get_result()
结果是调用未定义的方法(。这是另一种方式:
$zoeknaam = $_POST['Voornaam'];
$stmte = $db_con->prepare("SELECT * FROM customers WHERE Voornaam = ?");
$stmte->bind_param("s", $zoeknaam);
$stmte->execute();
// get all columns
$meta = $stmte->result_metadata();
while ($field = $meta->fetch_field()) {
$params[] = &$row[$field->name];
}
call_user_func_array(array($stmte, 'bind_result'), $params);
while ($stmte->fetch()) {
echo $row['Voornaam'] . '<br/>';
echo $row['Achternaam'] . '<br/>';
}