开发者

Help in displaying data from Database

I have created a SQL page wherein users can run SQL queries. My problem in that I dont know what columns the user will input. Hence I cant display what he has asked for. Like if his query was : select id from emp; How do i know what column name he has input and hence di开发者_如何学Csplay it in the results page. Here is the exact query which you can use and help me out. I have used numerous IF cases in my code. Eg: if(strpos($query,"id")) then it displays the id column. Please help me. And thanks in advance !


You must be kidding, letting users write these kind of statements in a webform that the whole world can access..

That said, when you execute a query, you can fetch the result row by row into a key=>value array. The keys will contain the field names. Use mysql_fetch_array for this.

But really. If you got your code working, I can write

SHOW DATABASES;
DROP DATABASE <databasename that is on my screen>

And suddenly you got an empty server. Get this script offline as soon as you can.


I go with GolezTrol, this isn't save at all.

You could of course check with if-statements if the user has used the words 'DROP' or 'SHOW', or just only allow certain things, but I don't know if that is save...


It is safe as long as he limits the sql user's permissions assosiated with the php mysql call. Only give it select permissions for that one database and it really doesnt matter if it is on a public website (assuming you dont care that everyone can see the data).

This will format the sql output into a decent looking table for you:

$header = null;
$colspan = 0;
while($values = odbc_fetch_array($rs))
{
    $result .= "<TR>";
    if(is_null($header))
    {
        foreach(array_keys($values) as $key)
        {
            $header .= "<TH style='border:1px dashed #00FF00;padding:5px 5px 5px 5px;align:left;'>$key</TH>";
            $colspan++;
        }
    }

    foreach($values as $value)
    {
        $result .= "<TD style='border:1px dashed #00FF00;padding:5px 5px 5px 5px;align:left;'>$value</TD>";
    }
    $result .= "</TR>";
}
}
$result = "<TABLE style='padding: 1px 1px 1px 1px;border:dash 1px #00FF00;color:#00FF00;'>".
          "<tr><td colspan='$colspan'>>>" . $sql . "</tr></td>" .
          $header.$result."</TABLE>";


mysql_fetch_field can grab column names from a result set, along with lots of other information about the column (type, max_length, etc.) that might be useful to display in a program like this.


When you run the output from the database query do something like this:

$query = mysql_query("YOUR_USERS_QUERY_HERE");

if (mysql_affected_rows() > 0) {
    while ($row = mysql_fetch_assoc($query)) {
        $keys = array_keys($row);
        foreach ($keys as $a_key) {
            echo $a_key . "=" . $row[$a_key] . " <br /> ";
        }
        echo "<br />";
    }
} else {
    echo "No Rows Found";
}

-- EDIT --

To output the header once you can do something like this:

$first = true;
while ($row = mysql_fetch_assoc($query)) {
    if ($first == true) {
        //output header code here
        $first = false;
    }
    //output data row code here
}
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜