开发者

Is there any errors with this PHP Code?

问答 作者:

Is there any problem with this since i get no output returned?Thanks in advance.

$question_text 开发者_运维问答= $_POST['question_text'];

$first_word = explode(" ", $question_text);

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t,  taxonomy_domain d
 WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id
 AND c.field_name = '$first_word'";

I've changed my code to this and still no output.Is there a problem with the way i display them ?Thanks

$question_text = $_POST['question_text'];

list($first_word) = explode(' ', $question_text);

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t, taxonomy_domain d WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id AND c.field_name = '".mysql_escape_string($first_word[0])."'";

$result = mysql_query($query);

while($row = mysql_fetch_array($result, MYSQL_ASSOC))

{

echo "Keyword :{$row['c.field_name']}" . "Category : {$row['t.category_name']}" . "Domain : {$row['d.domain_name']}"; }

?>

$first_word is an array, not a string, in your query you want $first_word[0]

it is also very unsafe to put any user submitted value directly in to a sql query, it should always be sanitised.

Instead of the explode line you could use following to get a correct SQL query:

$first_word = mysql_real_escape_string(strtok($question_text, " "));

The strtok cuts of the string until the first space. And escape function is necessary to prevent your script from SQL exploits.

Well after $first_word = explode(" ", $question_text); $first_word is an array because explode returns and array

Therefore 

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t,  taxonomy_domain d
 WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id
 AND c.field_name = '$first_word'";

should be

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t,  taxonomy_domain d
 WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id
 AND c.field_name = '".mysql_escape_string($first_word[0])."'";

Read http://php.net/manual/en/function.mysql-escape-string.php for what mysql_escape_string does.

list($first_word) = explode(' ', $question_text);

This should do the trick. Sanitize your database inputs!

继续阅读:phpsql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9