表(书)==> (KEYID,名称)
<form action="se.php">
<select>
<option value="1">book1</option>
<option value="2">book2</option>
<option value="3">book3</option>
<option value="????">All Book</option>
</select>
<input type="submit" name="search" value="search">
</form>
//se.php
$keyid=$_GET[keyid];
$sql=mysql_query("SELECT `name` FROM `book` WHERE `keyid`='$keyid'");
//end page
我把最后一个选项值(????)放入sql查询搜索所有内容???
答案 0 :(得分:2)
所有
然后:
$where = '';
if $keyid != all then {
$where = WHERE `keyid`= $keyid // escape value protect from sql injection!
}
mysql_query("SELECT `name` FROM `book` $where");
答案 1 :(得分:1)
这应该这样做:
$keyid=mysql_real_escape_string($_GET[keyid]);
if(trim($keyid)!="")
$where = " `keyid`='$keyid' ";
else
$where = " 1 ";
$sql=mysql_query("SELECT `name` FROM `book` WHERE $where ");
答案 2 :(得分:1)
你的代码在保护sql注入方面非常弱。你应该逃避你的输入,永远不要相信你收到的价值观。在您的选项中考虑这个值:
<option value="';truncate table book;">All Book</option>
一个好的方法是@cojack的答案