使用PHP从MYSQL获取值范围

时间:2014-03-28 12:15:20

标签: php mysql

我在从表单中搜索18-21岁之后尝试了所有年龄段(让我们说18-21),但表单显示了数据库中的所有数据。用户名搜索有效。任何帮助赞赏。

以下表格:

<?php
return'
<form id="searchForm" action="views/searchResults.php" method="GET">
    <input id="searchBox" placeholder="Search" type="text" name="username" />


<select id="age" name="age">
  <option value="0"> - </option>
  <option value="18-20">18-20</option>
  <option value="20-23">20-23</option>
  <option value="20">20</option>
  <option value="21">21</option>
  <option value="22">22</option>
</select>


<select id="gender" name="gender">
  <option name="nothing" value="0"> - </option>  
  <option name="female" value="female">Female</option>
  <option name="male" value="male">Male</option>
</select>
    <input id="searchButton" type="submit" value="Search" />

</form>';

?>

这是搜索脚本:

<?php
    mysql_connect("127.0.0.1", "root", "") or die("Error connecting to database: ".mysql_error());
    /*
        localhost - it's location of the mysql server, usually localhost
        root - your username
        third is your password

        if connection fails it will stop loading the page and display an error
    */

    mysql_select_db("modul8b") or die(mysql_error());
    /* tutorial_search is the name of database we've created */


$username = $_GET['username']; 
$age = $_GET['age']; 
$male = $_GET['gender']; 
$female = $_GET['gender']; 
    // gets value sent over search form

    $min_length = 0;
    // you can set minimum length of the query if you want

    if(strlen($username) >= $min_length){ // if query length is more or equal minimum length then

        $username = htmlspecialchars($username); 
        // changes characters used in html to their equivalents, for example: < to &gt;

        $username = mysql_real_escape_string($username);
        // makes sure nobody uses SQL injection

// Username query does not need a like, you know what the username will be precisely
$raw_results = mysql_query("SELECT * FROM user WHERE (`username` = '".$username."')");

// You need to filter out an age range
$ages = "";
switch($age)
{
    case 0:
    case 20:
    case 21:
    case 22:
        $ages = $age;
        break;
    case "18-20":
        $ages = "18,19,20";
        break;
    case "20-23":
        $ages = "20,21,22,23";
        break;
}
// combine with ages to get all relevant results
//$raw_results = mysql_query("SELECT * FROM user WHERE (`age` in (" . $ages . ") AND gender = '" . $gender . "')");
        if(mysql_num_rows($raw_results) > 0){ // if one or more rows are returned do following



            while($results = mysql_fetch_array($raw_results)){
            // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop

               echo "<table border='1'>
                <tr>
                <th>username</th>
                <th>gender</th>
                <th>age</th>
                </tr>";
                    {
                    echo "<tr>";
                    echo "<td>" . $results['username'] . "</td>";
                    echo "<td>" . $results['gender'] . "</td>";
                    echo "<td>" . $results['age'] . "</td>";
                    echo "</tr>";
                    }
                  echo "</table>";


            }

        }
        else{ // if there is no matching rows do following
            echo "No results";
        }

    }
    else{ // if query length is less than minimum
        echo "Minimum length is ".$min_length;
    }

?>

以下是表格:

CREATE TABLE IF NOT EXISTS `user` (
  `user_id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(64) NOT NULL,
  `email` varchar(64) NOT NULL,
  `password` varchar(32) NOT NULL,
  `age` int(11) NOT NULL,
  `gender` varchar(7) NOT NULL,
  `image` blob NOT NULL,
  PRIMARY KEY (`user_id`),
  UNIQUE KEY `email` (`email`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=24 ;

任何帮助表示赞赏。谢谢

1 个答案:

答案 0 :(得分:4)

首先,您使用的是已弃用的mysql_函数,使用PDOmysqli。此外,您的代码可能对SQL注入开放。

除此之外,由于mysql查询的使用不正确,您将获得所有结果。

例如,用户可能会输入以下信息。

No Username
18-20
Male

提交时会产生

// Username not set
@$age = '18-20'; 
@$male = 'male'; 
// Female not set

这将等同于您的最终查询,如

SELECT * FROM user WHERE (`gender` LIKE '%male%' OR `gender` LIKE '%%')

由于%是外卡,因此它将匹配数据库中的所有记录。

您需要验证输入并确保运行正确的查询。

尝试类似

的内容 
// Username query does not need a like, you know what the username will be precisely
$raw_results = mysql_query("SELECT * FROM user WHERE (`username` = '".$username."')");

// You need to filter out an age range
$ages = "";
switch($age)
{
    case 0:
    case 20:
    case 21:
    case 22:
        $ages = $age;
        break;
    case "18-20":
        $ages = "18,19,20";
        break;
    case "20-23":
        $ages = "20,21,22,23";
        break;
}
// combine with ages to get all relevant results
$raw_results = mysql_query("SELECT * FROM user WHERE (`age` in (" . $ages . ") AND gender = '" . $gender . "')");

完整代码 - 未经测试 

<?php
    mysql_connect("127.0.0.1", "root", "") or die("Error connecting to database: ".mysql_error());
    /*
        localhost - it's location of the mysql server, usually localhost
        root - your username
        third is your password

        if connection fails it will stop loading the page and display an error
    */

    mysql_select_db("modul8b") or die(mysql_error());
    /* tutorial_search is the name of database we've created */


$username = $_GET['username']; 
$age = $_GET['age']; 
$male = $_GET['gender']; 
$female = $_GET['gender'];  
    // gets value sent over search form

    $min_length = 0;
    // you can set minimum length of the query if you want

    if(strlen($username) >= $min_length) { // if query length is more or equal minimum length then

        $username = htmlspecialchars($username); 
        // changes characters used in html to their equivalents, for example: < to &gt;

        $username = mysql_real_escape_string($username); 
        // makes sure nobody uses SQL injection

    // Username query does not need a like, you know what the username will be precisely
    $raw_results = mysql_query("SELECT * FROM user WHERE (`username` = '".$username."')");
    } else if (strlen($age) > 0 && (strlen($male) > 0 || strlen($female) > 0)) {

    // You need to filter out an age range
    $ages = "";
    switch($age)
    { 
        case 0:
        case 20:
        case 21:
        case 22:
            $ages = $age;
            break;
        case "18-20":
            $ages = "18,19,20";
            break;
        case "20-23":
        $ages = "20,21,22,23";
            break;
    }
    // combine with ages to get all relevant results
    //$raw_results = mysql_query("SELECT * FROM user WHERE (`age` in (" . $ages . ") AND gender = '" . $gender . "')");
    } else{ // if query length is less than minimum
        echo "Minimum length is ".$min_length;
    }

     if(isset($raw_results)) {
        if (mysql_num_rows($raw_results) > 0){ // if one or more rows are returned do following



            while($results = mysql_fetch_array($raw_results)){ 
            // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop

               echo "<table border='1'>
                <tr>
                <th>username</th>
                <th>gender</th>
                <th>age</th>
                </tr>";
                    {
                    echo "<tr>";
                    echo "<td>" . $results['username'] . "</td>";
                    echo "<td>" . $results['gender'] . "</td>";
                    echo "<td>" . $results['age'] . "</td>";
                    echo "</tr>";
                    }
                  echo "</table>";


            }

        }
        else{ // if there is no matching rows do following
            echo "No results";
        }
    }

?>
相关问题
最新问题