MSSQL调用中的PHP IF语句

时间:2012-06-11 19:47:03

标签: php sql sql-server database if-statement

好的,我花了太长时间尝试在TSQL查询字符串中添加if语句。任何帮助,将不胜感激。这是带有语法错误的字符串。

$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' + tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$_SESSION['center']}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)".if !empty($_GET['search']) echo ('AND tblCasesLawyers.PLAINTIFFLASTNAME='.{$_GET['search']}).")
";

谢谢大家的注意。我在这方面比较新,但试图使用以下方法防止注射:

    function ms_escape_string($data) {
    if ( !isset($data) or empty($data) ) return '';
    if ( is_numeric($data) ) return $data;

    $non_displayables = array(
        '/%0[0-8bcef]/',            // url encoded 00-08, 11, 12, 14, 15
        '/%1[0-9a-f]/',             // url encoded 16-31
        '/[\x00-\x08]/',            // 00-08
        '/\x0b/',                   // 11
        '/\x0c/',                   // 12
        '/[\x0e-\x1f]/'             // 14-31


    );
    foreach ( $non_displayables as $regex )
    $data = preg_replace( $regex, '', $data );
    $data = str_replace("'", "''", $data );
    return $data;
    }

    function sanitize($data){
    $data=trim($data);
    $data=htmlspecialchars($data);
    $data=ms_real_escape_string($data);
    return $data;
    }

    $search = sanitize($_GET['search']);

5 个答案:

答案 0 :(得分:2)

内联条件怎么样?

<?php

$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' + tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$_SESSION['center']}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)"
.( (!empty($_GET['search'])) ? ' AND tblCasesLawyers.PLAINTIFFLASTNAME='.$_GET['search'] : '').")";

?>

答案 1 :(得分:2)

我不认为连接这样的if语句在语法上是合法的。它不会评估操作员可以解决的任何问题。使用三元组或将您的陈述分成三部分(在根据this answer编写cleanse方法之后:

$cleanCenterID = cleanse($_SESSION['center']);
$clentSearch = cleanse($_GET['search']);


$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' +tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$cleanCenterID}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)";

if(!empty($cleanSearch)) {
    $sql .= 'AND tblCasesLawyers.PLAINTIFFLASTNAME='.{$cleanSearch});
}

$sql .= ")";

答案 2 :(得分:1)

您可以使用内联“if”将条件语句插入字符串,即

$sql = 'Your sql '.(!empty($_GET['search']) ? 'some sql' : 'some other sql').' the rest of your sql';

答案 3 :(得分:1)

我认为如果在这里你需要一行:

 "AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)".
((!empty($_GET['search']) ? 'AND tblCasesLawyers.PLAINTIFFLASTNAME=' . $_GET['search'] : '' ). 
")

如某些注释所述,以这种方式连接查询可能会导致SQL Injection,为避免SQL注入,您可以使用预准备语句和参数化查询,请参阅this question以了解避免SQL的最佳方法注射;-)。

由于

去了

$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' + tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$_SESSION['center']}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)".( (!empty($search)) ? " AND tblCasesLawyers.PLAINTIFFLASTNAME='". $search . "'" : '').")";

答案 4 :(得分:0)

如果更换代码,它会起作用吗?

.if !empty($_GET['search']) echo ('AND tblCasesLawyers.PLAINTIFFLASTNAME='.{$_GET['search']}).")

用这个:

'AND (  tblCasesLawyers.PLAINTIFFLASTNAME='.{$_GET['search']}.' OR len('.{$_GET['search']}.') = 0 OR '.{$_GET['search']}.' is null)'
相关问题
最新问题