我有以下表格,允许用户搜索工作。搜索工作正常并返回结果,除了我无法获取表单返回某个字段的所有结果。薪水的40,000+选项也不起作用。
<form name="search" action="jobsearch.php" method="post">
<table><tr><td class="value"><select id="JobType" name="JobType"><option value="*">Job Type</option><option value="Permanant">Permanant</option>
<option value="Temporary">Temporary</option></select>
<option value="*">Both</option></select></td></tr>
<tr><td class="value"><select id="Industry" name="Industry"><option value="*">Industry</option>
<option value="Farming">Farming</option>
<option value="Childcare">Childcare</option>
<option value="Emergency Services">Emergency Services</option>
<option value="Goverment">Goverment</option>
<option value="Computing">Computing</option>
<option value="*">All</option></select></td></tr>
<tr><td class="value"><select id="County" name="County"><option value="*" selected="selected">Location</option>
<option value="North Yorkshire">North Yorkshire</option>
<option value="East Yorkshire">East Yorkshire</option>
<option value="South Yorkshire">South Yorkshire</option>
<option value="West Yorkshire">West Yorkshire</option>
<option value="*">All Areas</option></select></td></tr>
<tr><td class="value"><select id="Salary" name="Salary"><option value="">Salary</option>
<option value="15000 <= 19999">£15,000 - £19,999</option>
<option value="20000 <= 29999">£20,000 - £29,999</option>
<option value="30000 <= 39999">£30,000 - £39,999</option>
<option value="40000 <=">£40,000 +</option></select></td></tr>
<tr><td class="value submit-button"><input name="Submit" type="submit" class="button" value="Submit"></td></tr></table>
</form>
PHP如下
<?php
include_once('db.php');
$sql = "SELECT * FROM Job WHERE JobType='" . $_POST['JobType'] . "' AND Industry='" . $_POST['Industry'] . "' AND County='" . $_POST['County'] . "' AND Salary='" . $_POST['Salary'] . "' ORDER BY JobID";
$query = mysqli_query($con,$sql);
$repeat = "Displaying jobs that are:<br /><strong> " . $_POST['JobType'] . " </strong>within<strong> " . $_POST['Industry'] . " </strong>in the county of<strong> " . $_POST['County'] . " </strong>with a salary of £<strong> " . $_POST['Salary'] . "</strong>.";
echo "$repeat<hr>";
while ($row = mysqli_fetch_array($query)) {
echo "<strong>Job ID</strong><li>$row[JobID]</li><br />
<strong>Job Title</strong><li>$row[JobTitle]</li><br />
<strong>Description</strong><li>$row[JobDescription]</li><br />
<strong>Industry</strong><li>$row[Industry]</li><br />
<strong>Full/Part time</strong><li>$row[JobType]</li><br />
<strong>Salary £</strong><li>$row[Salary]</li><br />
<strong>County</strong><li>$row[County]</li><br />
<strong>Town</strong><li>$row[Town]</li><hr>";
}
mysqli_close($con);
?>
答案 0 :(得分:1)
在将$ _POST变量添加到查询之前,您没有清理它们。
这是一种高风险的安全漏洞。
1)你必须
mysqli_real_escape_string($_POST['your values']);
即:
$sql = "SELECT * FROM Job WHERE "
."JobType='" .mysqli_real_escape_string($_POST['JobType']) ."' AND "
."Industry='" .mysqli_real_escape_string($_POST['Industry'])."' AND "
."County='" .mysqli_real_escape_string($_POST['County']) ."' AND "
."Salary='" .mysqli_real_escape_string($_POST['Salary']) ."' "
."ORDER BY JobID";
在将它们添加到查询之前或之后。如果您不这样做,用户可以通过表单输入将恶意sql命令添加到您的查询中。此类攻击称为SQL injection attacks ...
2)“40000&lt; =”问题...通常它应该有效...但最好是在安全方面: 通过使15,20,30,40等选项的值越短,它们在数据库中占用的空间就越小。
HTML条目如下:
<select id="Salary" name="Salary">
<option value="">Salary</option>
<option value="15">£15,000 - £19,999</option>
<option value="20">£20,000 - £29,999</option>
<option value="30">£30,000 - £39,999</option>
<option value="40">£40,000 + </option>
</select>
yor数据库表中的Salary字段现在可以是2个字符...
以这种方式输出记录:
while ($row = mysqli_fetch_array($query)) {
switch($row['Salary']){
case '15': $sa = "£15,000 - £19,999"; break;
case '20': $sa = "£20,000 - £29,999"; break;
case '30': $sa = "£30,000 - £39,999"; break;
case '40': $sa = "£40,000 +"; break;
default : $sa = "Not indicated";
}
echo "<strong>Job ID</strong><li>$row[JobID]</li><br />
<strong>Job Title</strong><li>$row[JobTitle]</li><br />
<strong>Description</strong><li>$row[JobDescription]</li><br />
<strong>Industry</strong><li>$row[Industry]</li><br />
<strong>Full/Part time</strong><li>$row[JobType]</li><br />
<strong>Salary </strong><li>$sa</li><br />
<strong>County</strong><li>$row[County]</li><br />
<strong>Town</strong><li>$row[Town]</li><hr>";
}
3)要获取特定字段或字段组合的结果:
(我希望我理解正确,例如用户只提供薪水和县而不是其他数据,所以你想收集它们)
你必须像这样自动构建你的SQL查询:
$sql = '';
foreach($_POST as $key => $val){ // here we build the query
$key = mysqli_real_escape_string(trim($key));
$val = mysqli_real_escape_string(trim($val));
if($val=="")continue; // if empty skip it.
if($sql != '')$sql += " AND "; // if more than one field add AND
$sql = "$key='$val'"
}
if($sql == ''){
echo 'No input given to search for.';
exit(0);
}
$sql = "SELECT * FROM Job WHERE ".$sql." ORDER BY JobID";
答案 1 :(得分:0)
如果您使用Salary='" . $_POST['Salary'],那么您的查询将变为Salary='40000 <=',您的查询将尝试查找值Salary='40000 <=',以便您的数据库包含此类记录