如何将MYSQL数据显示到PHP搜索框中

时间:2013-03-31 16:10:33

标签: php mysql

您好我的任务中存在大量问题

我在xampp上设置了一个名为search_test的数据库,其中包含firstname和lastname作为字段。我已经设置了一个php表单,所以当用户输入一个名字时就说Andre会返回数据库中的所有andres。有一个问题它一直告诉我没有搜索结果,即使我知道数据库中有数据这里的代码应该是一个名为index.php的php页面

    <?php
    mysql_connect("localhost","michael","xcA123sd") or die(mysql_error());
    mysql_select_db("search_test") or die ("could not find db"); 
     $output ='';
    if (isset ($_POST['search']));
        $searchq = $_POST['search'];
    $query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%searchq%'" ) or die("could not search");
    $count = mysql_num_rows($query);
    if($count == 0){
        $output = 'There was no search results !';
        }else{
        while($row = mysql_fetch_array($query)){
        $fname = $row['firstname'];
        $output .='<div> '.$fname.'</div>';
        }

        }
}


?>

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>search</title>
</head>
<body>
<form action="index.php" method="post">
<input type="text" name="search" placeholder="search for members"/> 
<input type="submit" value=">>"/>
</form>
<?php print("$output);?>
</body
</html>

例如我输入andre in并获得响应

没有搜索结果!

有人可以帮忙

5 个答案:

答案 0 :(得分:2)

问题来自你的代码

$ query = mysql_query(“SELECT * FROM members WHERE firstname LIKE'%searchq%'”)

变量searchq后面没有$

答案 1 :(得分:2)

首先:你想要

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%searchq%'" ) or die("could not search");


$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%$searchq%'" ) or die("could not search");

(请注意额外的$)。

那就是说,你有一个很大的SQL注入问题:假设,我“正常”运行一次查询:这让我想到了这些列。现在我发布' UNION ALL SELECT correct_field_num FROM information_schema.TABLES WHERE NAME LIKE '%作为我的搜索 - 这给了我你的表结构。通过发布' UNION ALL SELECT correct_column_num FROM any_table_name WHERE 'x' LIKE '%,我可以阅读任意表格。

请确保您使用一种易于理解的技术来构建来自任何用户输入的安全查询。从已弃用的mysql_real_escape_string()到参数化查询,有一个范围。

答案 2 :(得分:1)

LIKE '%searchq%'"

如果您需要变量,它会搜索类似'searchq'的字符串,添加相应的美元符号

答案 3 :(得分:0)

试试这个:

<?php
mysql_connect("localhost","michael","xcA123sd") or die(mysql_error());
mysql_select_db("search_test") or die ("could not find db"); 
$output ='';
if (isset($_get['search'])){
    $searchq = $_get['search'];
}
$query = mysql_query("SELECT * FROM members WHERE firstname LIKE $searchq" ) or die("could not search");
$count = mysql_num_rows($query);
if($count == 0){
    $output = 'There was no search results !';
}else{
    while($row = mysql_fetch_array($query)){
        $fname = $row['firstname'];
        $output .='<div> '.$fname.'</div>';
    }
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>search</title>
</head>
<body>
<form action="index.php" method="get">
<input type="text" name="search" placeholder="search for members"/> 
<input type="submit" value=">>"/>
</form>
<?php print("$output);?>
</body>
</html>

答案 4 :(得分:0)

对于您的select语句,您有:

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%searchq%'" ) or die("could not search");

应该是:

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%".$searchq."'%" ) or die("could not search");

因为您正在搜索名为searchq的变量中的内容,而不是字符串searchq:)

相关问题
最新问题