带有WHERE子句的动态PDO参数绑定问题

时间:2014-08-24 19:50:26

标签: php mysql pdo

我有一个搜索表单,用户可以在其中输入一些信息来搜索数据库中的记录。由于某些字段可以留空,我动态创建查询的WHERE子句以及动态绑定PDO参数。如果用户仅在搜索表单中填写1个字段但是如果使用多于1个字段,则返回空数组,这一切都很有效。这是我的代码。

if(count($_POST)>0)
{   
    //Remove any key that has no value  
    $data = array_filter($_POST);

    //Define array to hold the pieces of the where clause
    $where = array();

    //loop each of the variable to build the query
    foreach($data as $key=>$value)
    {
        $key = mysql_real_escape_string($key);

        //Push values to array
        array_push($where, "$key=:$key");
    }

    //Create the select query
        $query = "SELECT application_ID, 
                     student_last_name, 
                     student_first_name,
                     s.school_name,
                     DATE_FORMAT(submission_datetime, '%m/%d/%Y %h:%i:%s %p') AS  submission_datetime, 
                     aps.name  
                     FROM application a
                     LEFT JOIN application_status aps ON(aps.status_ID = a.application_status_ID)
                     LEFT JOIN schools s ON(s.school_ID = a.school_choice)";
    //As long as criteria was selected in the search form then add the where clause to the query with user's search criteria
    if(!empty($where))
    {       
        $query .= "WHERE ".implode(" AND ", $where);
    }

    //Add ORDER BY clause to the query
    $query .= " ORDER BY application_ID";

    $stmt = $conn->prepare($query);
    //loop each of the variables to bind parameters
    foreach($data as $key=>$value)
        {
            $value = mysql_real_escape_string($value);
            $stmt->bindparam(':'.$key, $value);
        }
    $stmt->execute();
    $result = $stmt->fetchall(PDO::FETCH_ASSOC);


}

当我回显查询时,一切看起来都很好,甚至在从PHPMyAdmin运行时返回结果。这是查询。

SELECT application_ID, 
       student_last_name, 
       student_first_name, 
       s.school_name, 
       DATE_FORMAT(submission_datetime, '%m/%d/%Y %h:%i:%s %p') AS submission_datetime,
       aps.name 
       FROM application a 
       LEFT JOIN application_status aps ON(aps.status_ID = a.application_status_ID)
       LEFT JOIN schools s ON(s.school_ID = a.school_choice)
       WHERE school_choice=:school_choice AND status_ID=:status_ID 
       ORDER BY application_ID ASC

当我print_r时,我得到一个空数组。 感谢您提供的任何帮助。

2 个答案:

答案 0 :(得分:1)

当您遍历数组以将值绑定到PDO语句时,您应该使用bindValue而不是bindParam。

当您说$stmt->bindparam(':'.$key, $value)时,查询将使用变量$value的值,就像查询执行时一样。 $value的值将是数组的最后一个元素。

http://php.net/manual/en/pdostatement.bindvalue.php

我希望这会有所帮助。

答案 1 :(得分:0)

您不应该将mysql_real_escape_string()用于准备好的语句。事实上,如果您没有初始化mysql_connect(),则此功能将无效。

这一定是为什么一切都失败了,您对mysql_real_escape_string()的来电正在为所有内容返回FALSE

此外,是什么让您认为来自$_POST的数组键可以安全地用于您的SQL查询?你在这里冒着SQL注入的风险,不要那样做。

相关问题
最新问题