开发者

Limiting queries to a specific category

问答 作者:

Im trying to do a mysql query and keep the results of the answer within a specific category, but I am lost on the correctness of the last line.

$category_in_now = get_products_category_id($_GET['products_id']);
$similar_products = "SELECT p.products_type, p.products_id, pd.products_name, 
p.products_image, p.products_price, p.products_tax_class_id,
p.products_date_added, m.manufacturers_name, p.products_model, p.products_quantity, 
p.products_weight, p.product_is_call,
p.product_is_always_free_shipping, p.products_qty_box_status,
p.master_categories_id
FROM " . TABLE_PRODUCTS . " p
LEFT JOIN " . TABLE_MANUFACTURERS . " m 
ON (p.manufacturers_id = m.manufacturers_id), " . 
TABLE_PRODUCTS_DESCRIPTION . " pd
WHERE p.products_status = 1
AND p.products_id = pd.products_id
AND p.master_categories_id  == " . $category_in_now;

DEC 29: I ended up doing this, but am left with some questions on on the RAND LIMIT part the need for looping, am I doing this correctly?

<?php 
echo '<div>';
$category_in_now = zen_get_products_category_id($_GET['products_id']);

for($i=0;$i<4;$i++) {
        $products_query_raw = "SELECT p.products_开发者_JAVA百科id, p.products_type, pd.products_name, p.products_image, p.products_price,
                               p.master_categories_id
                               FROM " . TABLE_PRODUCTS . " p
                               LEFT JOIN " . TABLE_MANUFACTURERS . " m
                               ON (p.manufacturers_id = m.manufacturers_id), " . TABLE_PRODUCTS_DESCRIPTION . " pd
                               WHERE p.products_status = 1 
                               AND p.products_id = pd.products_id
                               AND p.master_categories_id = :catInNow  ORDER BY rand() LIMIT 0,4";

        $products_query_raw = $db->bindVars($products_query_raw, ':catInNow', $category_in_now, 'integer');
        $result = $db->Execute($products_query_raw);

        echo '<li>';
            echo '<div id="item">';
        if ($result->RecordCount() > 0) {
            echo '<a href="' . zen_href_link('product_info', 'cPath=' . $cPath .  '&products_id=' . $result->fields['products_id']) . '">';
            echo zen_image(DIR_WS_IMAGES . $result->fields['products_image'], $result->fields['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
            echo '</a>';
            echo '</div>';
        echo '</li>';
        }
}
echo '</div>';
?>

Depending on what get_products_category_id() does, this can be an SQL injection hole. You never append a variable like that. These days, you use prepared statements from mysqli or PDO. Of course, you can manually escape or in some special cases, a casting to int is enough (you can't hide any mischief in an integer) but doing this is asking for trouble. Have a central helper that avoids this (or just use Drupal :) ).

Finally, the last line is certainly wrong SQL-wise too as == is not an SQL operation. Given that your helper is called getting product*s* I suspect you wanted IN. If it's a single value, then =.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9