多功能PHP代码 - 似乎无法让它发挥作用

时间:2014-05-08 15:05:32

标签: php mysql

使用多功能工具的某些功能时,我遇到了一些困难。我希望能够按名称或目录号进行排序,按类别过滤,或进行开放式搜索。这是当前的代码:

$sort = ($_POST['sort']) ? $_POST['sort'] : 'name';
$order = ($_POST['order']) ? $_POST['order'] : 'asc';

if($_POST['Search'])
{
    $search = ($_POST['Search']);
    $query_compounds = "select * from compounds where name like'%$search%' or catalog_number like'%$search%' or synonyms like'%$search%' or cas_number like'%$search%' or formula_weight like'%$search%' or molecular_formula like'%$search%'";
}
else if($_POST['category']) {
    $category = ($_POST['category']);
    $query_compounds = "select * from compounds where category = ".$category;
}
else {
    $query_compounds = "select * from compounds order by " . $sort . " " . $order;
}

稍后在页面中,调用以下代码:

<form name="SortForm" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" style="float:left;">
    <select name="sort">
        <option <?php if($sort == 'name'){ echo "selected"; }?> value="name">Name</option>
        <option <?php if($sort == 'catalog_number'){ echo "selected"; }?> value="catalog_number">Catalog Number</option>
    </select>
    <select name="order">
        <option <?php if($order == 'asc'){ echo "selected"; }?> value="asc">Ascending</option>
        <option <?php if($order == 'desc'){ echo "selected"; }?> value="desc">Descending</option>
    </select>
    <input name="SortForm" type="submit" id="SortForm" value="Sort">
</form>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" style="float:left;">
    <select name="category">
        <option <?php if($category == 'Compounds'){ echo "selected"; }?> value="Compounds">Compounds</option>
        <option <?php if($category == 'Glucuronides'){ echo "selected"; }?> value="Glucuronides">Glucuronides</option>
        <option <?php if($category == 'Metabolites'){ echo "selected"; }?> value="Metabolites">Metabolites</option>
    </select>
    <input name="category" type="submit" id="category" value="Select">
</form>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="GET" style="float:left;">
    <input id="Search" type="text" placeholder="Type here">
    <input id="Search" type="submit" value="Search" name="Search">
</form>

非常感谢任何有关此事的协助。

1 个答案:

答案 0 :(得分:0)

您需要尽快更改PHP。请参阅上面有关SQL注入的注释。你的代码很危险。

对于过滤,让PHP通过动态构建查询来为您做繁重的工作。当你发现自己重复的东西 - 例如您的个人疑问 - 这是一个很好的指标,表明您走错了路。我建议调查像Laravel这样的框架。它照顾了很多像这样的样板。它的查询生成器非常棒。

如果您想使用普通PHP执行此操作,请执行以下操作:

$where = array();

if ( isset($_POST['Search']) ) {
    $search = mysql_real_escape_string($_POST['Search']);
    $where['Search'] = "( name LIKE('%".$search."%') 
                        OR catalog_number LIKE('%".$search."%') 
                        OR synonyms LIKE('%".$search."%') 
                        OR cas_number LIKE('%".$search."%') 
                        OR formula_weight LIKE('%".$search."%') 
                        OR molecular_formula LIKE('%".$search."') )";   
}

if ( isset($_POST['category']) ) {
    $category = mysql_real_escape_string($_POST['category']);
    $where['category'] = "category = '".$category."'";
}

if ( count($where) > 0 ) {
    $where = ' WHERE '.implode(' AND ', $where);    
}

$sql = 'SELECT * FROM compounds'.$where.' ORDER BY ...';

请注意,我使用mysql_real_escape_string()来清理用户输入只是因为我怀疑你还在使用mysql_函数。你应该至少使用mysqli_函数。

使用上述策略,您可以根据自己的喜好过滤尽可能多的(或很少的)变量。

相关问题
最新问题