选择某个值时,回显不会出现

时间:2013-01-31 06:30:38

标签: php mysqli

我在下面有一个评估下拉菜单:

<select name="session" id="sessionsDrop">
<option value="All">All</option>
<option value="2">EOWOW</option>
<option value="34">EOWOW</option>
</select>  


 <select name="student" id="studentsDrop">
    <option value="All">All</option>
    <option value="23">Jay Hart</option>
    <option value="32">Bubba Wright</option>
    </select>

上面是一个简单的下拉菜单。我在下面运行查询以获取所选学生的详细信息以及获取所选的评估详细信息。现在,选定的评估输出详细信息没有问题,但所选学生选项的回显不起作用,就像用户选择All选项,然后回显"<p><strong>Students: </strong>All Students - Total:(" .$selstudentnum . ")</p>" . PHP_EOL;一样。但问题是如果选择All选项,它不会显示此回显。事实上,如果选择了All选项,它根本不会显示回声。我试过=====都看不到我做错了什么

$selectedsessionqry = "
SELECT
SessionName, SessionDate, SessionTime
FROM
Session
WHERE
(SessionId = ?)
";

global $mysqli;
$selectedsessionstmt=$mysqli->prepare($selectedsessionqry);
// You only need to call bind_param once
$selectedsessionstmt->bind_param("i",$_POST["session"]);
// get result and assign variables (prefix with db)
$selectedsessionstmt->execute(); 
$selectedsessionstmt->bind_result($selSessionName,$selSessionDate,$selSessionTime);

 while ($selectedsessionstmt->fetch()) {

     echo "<p><strong>Assessment: </strong>" . $selSessionName . " - " . date('d-m-Y',strtotime($selSessionDate)) . " - " . date('H:i',strtotime($selSessionTime)) . "</p>" . PHP_EOL;

 }


$selectedsessionstmt->close();   

    $selectedstudentqry = "
        SELECT
        StudentAlias, StudentForename, StudentSurname
        FROM
        Student
        WHERE
        (StudentId = ?)
        ";

        global $mysqli;
        $selectedstudentstmt=$mysqli->prepare($selectedstudentqry);
        // You only need to call bind_param once
        $selectedstudentstmt->bind_param("i",$_POST["student"]);
        // get result and assign variables (prefix with db)
        $selectedstudentstmt->execute(); 
        $selectedstudentstmt->bind_result($selStudentAlias,$selStudentForename,$selStudentSurname);
        $selectedstudentstmt->store_result();
        $selstudentnum = $selectedstudentstmt->num_rows();   

         while ($selectedstudentstmt->fetch()) {

        if($_POST["student"] === 'All') {
            echo "<p><strong>Students: </strong>All Students - Total:(" .$selstudentnum . ")</p>" . PHP_EOL;
        }else{
            echo "<p><strong>Students: </strong>" . $selStudentAlias . " - " . $selStudentForename . " " . $selStudentSurname . "</p>" . PHP_EOL;
        }
        }

1 个答案:

答案 0 :(得分:0)

我认为你的病情在这里失败了

 $selectedstudentstmt->bind_param("i",$_POST["student"]);

它期望整数值但你发送字符串。

不要在查询中直接使用$ _POST。它会导致sql注入攻击。

在sql查询中使用之前清理用户输入。

的变化: 在查询之前添加以下条件。再次不要忘记消毒。

if ($_POST["student"] == 'ALL') {
   $where = WHERE (StudentId = ?) ";
} else {
  $where  = "";
}
$selectedstudentqry = " SELECT StudentAlias, StudentForename, StudentSurname FROM    Student  $where