这个问题在这里已经有答案了:
我可以在php中混合mysql api吗(4个答案)
去年关门了。
我找到了一些使用php和mysql进行简单数据库搜索的代码,我能够使它工作。但是,我认为将数据库用户名和密码留在根文件夹的php代码中可能不是一个好主意。因此,我找到了另一个代码示例,它演示了如何在根目录外创建config.ini文件,并使用dbconnect.php文件访问数据库凭据。我试图实现这一点,但我没有任何运气,想知道是否有人可以告诉我我缺少什么(我只有一个基本的掌握编码,并试图学习一点一点)。我已经包含了所有组件文件的代码(并且我将任何用户名/密码/服务器名更改为通用占位符)。在代码下面,我粘贴了提交搜索表单时当前显示的错误。谢谢!
索引.php:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<form action="search.php" method="GET">
<input type="text" name="query" />
<input type="submit" value="Search" />
</form>
</body>
</html>search.php:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php require_once('./includes/dbconnect.php'); ?>
</head>
<body>
<?php
$query = $_GET['query'];
// gets value sent over search form
$min_length = 3;
// you can set minimum length of the query if you want
if(strlen($query) >= $min_length) { // if query length is more or equal minimum length then
$query = htmlspecialchars($query);
// changes characters used in html to their equivalents, for example: < to >
$query = mysql_real_escape_string($query);
// makes sure nobody uses SQL injection
$raw_results = mysql_query("SELECT * FROM details WHERE (`title` LIKE '%".$query."%') OR (`text` LIKE '%".$query."%')") or die(mysql_error());
// * means that it selects all fields
// details is the name of our table
// '%$query%' is what we're looking for, % means anything, for example if $query is Hello
if(mysql_num_rows($raw_results) > 0) { // if one or more rows are returned do following
while($results = mysql_fetch_array($raw_results)) {
// $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop
echo "<p><h3>".$results['title']."</h3>".$results['text']."</p>";
// posts results gotten from database(title and text) you can also show id ($results['id'])
}
} else { // if there is no matching rows do following
echo "No results";
}
} else { // if query length is less than minimum
echo "Minimum length is ".$min_length;
}
?>
</body>
</html>数据库连接.php:
<?php
function db_connect() {
// Define connection as a static variable, to avoid connecting more than once
static $connection;
// Try and connect to the database, if a connection has not been established yet
if(!isset($connection)) {
// Load configuration as an array. Use the actual location of your configuration file
$config = parse_ini_file('/home/cpanelusername/private/config.ini');
$connection = mysqli_connect($config['servername'],$config['username'],
$config['password'],$config['dbname']);
}
// If connection was not successful, handle the error
if($connection === false) {
// Handle error - notify administrator, log to a file, show an error screen, etc.
return mysqli_connect_error();
}
return $connection;
}
// Connect to the database
$connection = db_connect();
// Check connection
if ($connection->connect_error) {
die("Connection failed: " . $connection->connect_error);
}
?>配置.ini:
[database]
servername = localhost
username = username
password = password
dbname = username_database警告:mysql\u real\u escape\u string():第29行的/home4/cpanelusername/public\u html/…../search.php中的用户'root'@'localhost'(使用密码:no)的访问被拒绝
警告:mysql\u real\u escape\u string():无法在第29行的/home4/cpanelusername/public\u html/……/search.php中建立到服务器的链接
警告:mysql\u query():第33行的/home4/cpanelusername/public\u html/……./search.php中的用户“root”@“localhost”(使用密码:no)的访问被拒绝
警告:mysql\u query():无法在第33行的/home4/cpanelusername/public\u html/……/search.php中建立到服务器的链接拒绝用户“root”@“localhost”的访问(使用密码:否)
2条答案
按热度按时间uklbhaso1#
这是因为mysql\u real\u escape\u string考虑了连接的当前字符集。因此,它需要一个连接。:-)
请尝试连接数据库使用以下代码,请让我知道如果你有任何问题。
yizd12fk2#
清除来自userland的字符串不足以防止sql注入攻击。标准方法是使用准备好的查询。例如。: