我试图在我的数据库中查找$ searchtext,其中$ selecteditem表示它正在搜索的columb。出于某种原因,当我尝试搜索我积极存在的东西时,它会返回0结果。
是的我知道sql注入,一旦我弄清楚如何轻松实现,我将把它改成mysqli。
我的表格 -
<form name="search" id="search" method="POST" action="">
<input type="text" name="searchterm" id="searchterm">
<select name="selectitem">
<option value="propertydescription">Property/Description</option>
<option value="transactiontype">Transaction type</option>
<option value="applicabledocument">Applicable document</option>
<option value="recieved">recieved</option>
<option value="paid">paid</option>
</select>
</div></td>
<td> </td>
<td><input type="submit" name="search" value="search"></td>
我的php for this-
if (isset($_POST['search']))
{
$columbname = $_POST['selectitem'];
$searchterm = $_POST['searchterm'];
$query="SELECT * FROM transactions WHERE agentclient = '$agentclient' AND $columbname = '$searchterm'";
$result = mysql_query ($query) or die(mysql_error());
}
else
答案 0 :(得分:0)
您可以通过打印查询并检查是否正在传递所需参数来测试它。如果是,则复制查询并运行mysql db并检查结果。
if (isset($_POST['search']))
{
$columbname = $_POST['selectitem'];
$searchterm = $_POST['searchterm'];
echo "SELECT * FROM transactions WHERE agentclient = '$agentclient' AND $columbname = '$searchterm'"; exit;
$query="SELECT * FROM transactions WHERE agentclient = '$agentclient' AND $columbname = '$searchterm'";
$result = mysql_query ($query) or die(mysql_error());
}
else
答案 1 :(得分:0)
如果$ columbname是varchar或从columbname字段中删除$ sign
,则使用LIKE操作