Question

我正在使用这个PHP来执行搜索，但是它从表中返回所有内容，而不是与搜索相关的任何内容...我也遇到了“mysqli_real_escape_string”的错误，但我不确定它是否相关。

<?php
$con=mysqli_connect("***","***","***","***");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Search results</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="stylesheet" type="text/css" href="style.css"/>
</head>
<body>
<?php
    $query = $_GET['query']; 
    // gets value sent over search form

    $min_length = 3;
    // you can set minimum length of the query if you want

    if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then

        $query = htmlspecialchars($query); 
        // changes characters used in html to their equivalents, for example: < to &gt;

        $query = mysqli_real_escape_string($query);
        // makes sure nobody uses SQL injection

        $raw_results = mysqli_query($con,"SELECT * FROM test_table
            WHERE ('email' LIKE '%".$query."%') OR ('pw' LIKE '%".$query."%')") or die(mysqli_error());

        if(mysqli_num_rows($raw_results) > 0){ // if one or more rows are returned do following

            echo "<table border='1'>
            <tr>
            <th>email</th>
            <th>pw</th>
            </tr>";

            while($results = mysqli_fetch_array($raw_results)){
            // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop

                echo "<tr><td>".$results['email']."</td><td>".$results['pw']."</td></tr>";
                //echo "<p><h3>".$results['email']."</h3>".$results['pw']."<br/>".$results['ID']."</p>";

            }

        }
        else{ // if there is no matching rows do following
            echo "No results";
        }

    }
    else{ // if query length is less than minimum
        echo "Minimum length is ".$min_length;
    }
?>
</body>
</html>

Answer 1

您的查询不正确。你应该使用反引号，而不是引号

$raw_results = mysqli_query($con,"SELECT * FROM test_table
        WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')") or
die(mysqli_error());

另外，mysqli_real_escape_string要求第一个参数为$ con

$query = mysqli_real_escape_string($con, $query);

Answer 2

WHERE ('email' LIKE '%".$query."%') OR ('pw' LIKE '%".$query."%')"

你错误地转义了你的列名，他们应该用反引号转义，而不是单引号;

 'email'  -- the string "email".
 `email`  -- the column "email".

换句话说，应该是;

WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')"

作为旁注，您最好使用参数化查询，而不是使用mysqli_real_escape_string()将查询构建为字符串。它对安全性更好，它使数据库可以查询查询。

如果你打算将它与程序类型调用一起使用（就像你一样），你需要将连接作为第一个参数传递给它;

$query = mysqli_real_escape_string($con, $query);

Answer 3

您需要以不同方式引用您的查询。试试这个：

"SELECT * FROM test_table WHERE (`email` LIKE '%" . $query . "%') OR (`pw` LIKE '%" . $query . "%')"

你的mysqli_real_escape_string也需要它中的$ con，如：

mysqli_real_escape_string($con, $query)

mysql搜索返回整个表

3 个答案: