


 $query =  'SELECT * from #__chronoforms_UploadAuthor where text_6 like "%'.$_GET['title'].'%" and text_7 like "%'.$_GET['author'].'%" limit 0,1';


Where I am trying to insert a PHP variable instead of 1 in the limit..

   $query =  'SELECT * from #__chronoforms_UploadAuthor where text_6 like "%'.$_GET['title'].'%" and text_7 like "%'.$_GET['author'].'%" limit 0,"'.$_GET['limit'].'"';

但这显示了一个错误。保留 $ _ GET ['limit'] 有一些错误。

but it shows me an error. There are some errors in keeping $_GET['limit'].



  1. 编写这些查询的方式有点难以理解。我个人更喜欢使用多行语法(如下所示),但这不是严格要求;

  1. The way you're writing out those queries is a bit hard to read. Personally I prefer using a multi-line heredoc syntax (as per below), but this isn't strictly required;

任何用户输入都应通过以避免攻击。 注意:用户输入包括来自客户端的任何内容,包括cookie,表单字段(普通或隐藏),查询字符串等;和

Any user input should go through mysql_real_escape_string() to avoid SQL injection attacks. Note: "user input" includes anything that comes from the client including cookies, form fields (normal or hidden), query strings, etc.; and

您不需要在 LIMIT 子句中引用第二个参数,这可能是问题的根源,即放 LIMIT 0,5 而不是 LIMIT 0, 5

You don't need to quote the second argument to LIMIT clause, which is probably the source of your problem, meaning put LIMIT 0,5 not LIMIT 0,"5".


$title = mysql_real_escape_string($_GET['title']);
$author = mysql_real_escape_string($_GET['author']);
$limit = (int)$_GET['limit'];

$query = <<<END
FROM #__chronoforms_UploadAuthor
WHERE text_6 LIKE "$title%"
AND text_7 LIKE "%$author%"
LIMIT 0,$limit

此外,一位评论员指出, _ 应该转义。这可能是正确的,也可能不是。许多应用程序允许用户输入通配符。如果是这种情况,那么您就不应逃避它们。如果必须转义它们,则对其进行处理:

Also, one commentor noted that % and _ should be escaped. That may or may not be true. Many applications allow the user to enter wildcards. If that's the case then you shouldn't escape them. If you must escape them then process them:

$title = like_escape($limit);

function like_escape($str) {
    return preg_replace('!(?|\\)((?:\\)*)([%_])!', '$1\$2', $str);

这种有点复杂的正则表达式试图阻止某人输入'\% ',并获得'\%',然后转义反斜杠而不是'%'。

That somewhat complicated regular expression is trying to stop someone putting in '\%' and getting '\%', which then escape the backslash but not the '%'.


08-26 08:28