javascript 如何在带有用户输入字段的 html 页面上执行 sql 命令,并在同一页面上显示结果
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7795791/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
how to perform sql command on html page with user input field, and show result on the same page
提问by user987013
i write a command, or i fill up parameter value from user input field. click the button, send this command to php and send resultant value back to html to display. for example. on html page :
我写了一个命令,或者我从用户输入字段中填写了参数值。单击按钮,将此命令发送到 php 并将结果值发送回 html 以显示。例如。在 html 页面上:
select ___ from ____,
two available input field i fill up with "tablenameone" and "valueone". then, result will be printed on html text field on the same page.
我用“tablenameone”和“valueone”填充了两个可用的输入字段。然后,结果将打印在同一页面的 html 文本字段上。
what i do know is those value can be sent(perhaps) as in such format
我所知道的是这些值可以(可能)以这种格式发送
$('input[name="talbename"]')
$('input[name="value"]')
example.com?tablename=tablenameone&value=valueone
and from php side i use
从 php 端我使用
$sql="SELECT '$_GET['value']' FROM '$_GET['tablename']';
what i dont know is that....how exactly should i perform this in a click function? its for sure using ajax. but how can i produce example.com?tablename=tablenameone&value=valueone and where should i put $('input[name="value"]')
我不知道的是....我应该如何在点击功能中执行此操作?它肯定使用ajax。但是我怎样才能产生example.com?tablename=tablenameone&value=valueone 我应该把$('input[name="value"]')
thanks in advance :D
先谢谢了
回答by Fenton
You must not use direct input in your queries as you will be open to SQL injection attacks.
您不得在查询中使用直接输入,因为您将容易受到SQL 注入攻击。
$sql="SELECT '$_GET['value']' FROM '$_GET['tablename']';
Instead, use the following:
相反,请使用以下内容:
$column = $_GET['value'];
$table = $_GET['tablename'];
$sql = sprintf("SELECT %s FROM %s;",
mysql_real_escape_string($column),
mysql_real_escape_string($table));
Although you are still exposing too much "inside information" by giving people a page that tells them all of your table and column names!
尽管您仍然通过向人们提供一个页面告诉他们您所有的表和列名称来暴露过多的“内部信息”!
Anyway, here is a complete example;
不管怎样,这里有一个完整的例子;
<form method="post" action="">
<fieldset>
<legend>Select Data</legend>
<p><label>Table<br>
<select name="table">
<option value="tblStudents">Students</option>
</select></label></p>
<p><label>Table<br>
<select name="column">
<option value="firstname">First Name</option>
<option value="lastname">Last Name</option>
</select></label></p>
<p><input type="submit" name="submit" value="submit">
</fieldset>
</form>
<?php
$connection = mysql_connect("servername:3306", "user", "password") or die ('Error connecting to mysql');
mysql_select_db("databasename");
$column = mysql_real_escape_string($_POST['column']);
$table = mysql_real_escape_string($_POST['table']);
$sql = sprintf("SELECT %s FROM %s;",
$column,
$table);
$result = mysql_query($sql) or die(mysql_error());
echo '<ul>';
while($row = mysql_fetch_array($result)) {
echo '<li>' . $row[$column] . '</li>';
}
echo '</ul>';
mysql_close($connection);
?>
回答by Derek Organ
You really want to make sure you are not open to SQL injection.
你真的想确保你不会接受 SQL 注入。
You could use mysql prepared statements
您可以使用 mysql 准备好的语句
or
或者
use the php function mysql_real_escape_string($_GET['value'])
使用php函数 mysql_real_escape_string($_GET['value'])
Read this thread: How can I prevent SQL injection in PHP?
阅读此主题: 如何防止 PHP 中的 SQL 注入?
I'm not sure what you mean by the click function.
我不确定您所说的点击功能是什么意思。
回答by rickyduck
Seeming as though noone has actually answered the question (although they are all good points, I will assume there is a reason for you doing this), I will answer:
好像没有人真正回答过这个问题(虽然它们都是好点,但我认为你这样做是有原因的),我会回答:
$('form[name=formname]').submit(function(e){
e.preventDefault;
var tablename = $('input[name="tablename"]').val();
var value = $('input[name="value"]').val();
$.get("example.php?tablename="+tablename+"&value="+value, function(data){
$('body div').text(data);
})
});
PHP:
PHP:
$sql=mysql_query("SELECT '$_GET['value']' FROM '$_GET['tablename']'")or die(mysql_error());
$sqlOutput = mysql_fetch_array($sql);
echo "<pre>";
print_r($sqlOutput);
echo "</pre>";
Obviously replace formnamewith your form name, body divwith the name of the element you want the output to go in and all other identifiers replaced where seen fit. Then change the output in the PHP to suit your needs.
显然,替换formname为您的表单名称,替换为您body div希望输出进入的元素的名称,并在合适的地方替换所有其他标识符。然后更改 PHP 中的输出以满足您的需要。
Again, do bear in mind the posts regarding SQLi, because you have yourself a very serious problem there.
同样,请记住有关 SQLi 的帖子,因为您在那里遇到了非常严重的问题。
