Limiting queries to a specific category_问答_开发者

开发者 https://www.devze.com 2023-02-01 07:02 出处：网络

Im trying to do a mysql query and keep the results of the answer within a specific category, but I am lost on the correctness of the last line.

相关专题：php

Im trying to do a mysql query and keep the results of the answer within a specific category, but I am lost on the correctness of the last line.

$category_in_now = get_products_category_id($_GET['products_id']);
$similar_products = "SELECT p.products_type, p.products_id, pd.products_name, 
p.products_image, p.products_price, p.products_tax_class_id,
p.products_date_added, m.manufacturers_name, p.products_model, p.products_quantity, 
p.products_weight, p.product_is_call,
p.product_is_always_free_shipping, p.products_qty_box_status,
p.master_categories_id
FROM " . TABLE_PRODUCTS . " p
LEFT JOIN " . TABLE_MANUFACTURERS . " m 
ON (p.manufacturers_id = m.manufacturers_id), " . 
TABLE_PRODUCTS_DESCRIPTION . " pd
WHERE p.products_status = 1
AND p.products_id = pd.products_id
AND p.master_categories_id  == " . $category_in_now;

DEC 29: I ended up doing this, but am left with some questions on on the RAND LIMIT part the need for looping, am I doing this correctly?

<?php 
echo '<div>';
$category_in_now = zen_get_products_category_id($_GET['products_id']);

for($i=0;$i<4;$i++) {
        $products_query_raw = "SELECT p.products_开发者_JAVA百科id, p.products_type, pd.products_name, p.products_image, p.products_price,
                               p.master_categories_id
                               FROM " . TABLE_PRODUCTS . " p
                               LEFT JOIN " . TABLE_MANUFACTURERS . " m
                               ON (p.manufacturers_id = m.manufacturers_id), " . TABLE_PRODUCTS_DESCRIPTION . " pd
                               WHERE p.products_status = 1 
                               AND p.products_id = pd.products_id
                               AND p.master_categories_id = :catInNow  ORDER BY rand() LIMIT 0,4";

        $products_query_raw = $db->bindVars($products_query_raw, ':catInNow', $category_in_now, 'integer');
        $result = $db->Execute($products_query_raw);

        echo '<li>';
            echo '<div id="item">';
        if ($result->RecordCount() > 0) {
            echo '<a href="' . zen_href_link('product_info', 'cPath=' . $cPath .  '&products_id=' . $result->fields['products_id']) . '">';
            echo zen_image(DIR_WS_IMAGES . $result->fields['products_image'], $result->fields['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
            echo '</a>';
            echo '</div>';
        echo '</li>';
        }
}
echo '</div>';
?>

Depending on what get_products_category_id() does, this can be an SQL injection hole. You never append a variable like that. These days, you use prepared statements from mysqli or PDO. Of course, you can manually escape or in some special cases, a casting to int is enough (you can't hide any mischief in an integer) but doing this is asking for trouble. Have a central helper that avoids this (or just use Drupal :) ).

Finally, the last line is certainly wrong SQL-wise too as == is not an SQL operation. Given that your helper is called getting product*s* I suspect you wanted IN. If it's a single value, then =.