PHP PDO绑定搜索框中的动态字段和值

时间:2013-08-19 20:37:30

标签: php pdo

我正在尝试使用PDO预处理语句运行查询,该语句允许我让用户选择一个字段,然后输入该字段的值,并将其包含在我的查询中。

所以在这个基本查询中:

$sql = "SELECT LastName, FirstName FROM administrators WHERE Status=:Status "; 
$stmt->bindParam(':Status',$Status, PDO::PARAM_STR);

效果很好。

但是我有一个搜索表单,允许用户选择显示FirstName,LastName的下拉列表,然后输入一个文本框来输入搜索词

$sql = "SELECT LastName, FirstName FROM administrators WHERE Status=:Status **AND FIELD = TERM**";

到目前为止,我还没有在网上找到任何好的例子。任何指导都表示赞赏。

我正在使用:

$params = array();
    if (!empty($SearchField) && !empty($SearchFor)) 
    {
        $params['SearchField'] = $SearchField;
        $params['SearchFor'] = $SearchFor;
    }

但我收到错误:     致命错误:未捕获异常'PDOException',消息'SQLSTATE [42S22]:未找到列:1054'where子句'中的未知列'SearchField''

更新的代码:

以下是我在表单中使用的代码:

 <input id="searchtext" name="searchtext" type="text" placeholder="Search" value="<?php echo GetParam('searchtext'); ?>" />   
                            <select name="searchby">
                                <option value="">Search By</option>
                                <option id="LastName" value="LastName" <?php if(GetParam('searchby') == 'LastName'){echo "selected='selected'";}?>>Last Name</option>
                                <option id="FirstName" value="FirstName" <?php if(GetParam('searchby') == 'FirstName'){echo "selected='selected'";}?>>First Name</option>
                                <option id="RoleName" value="RoleName" <?php if(GetParam('searchby') == 'RoleName'){echo "selected='selected'";}?>>Role Name</option>
                            </select>
                            <input type="submit" id="submit" name="command" value="search" />

这是我方法的代码:

public function GetAllUsers($Status = 'A',$SearchField = '',$SearchFor = '')
{
$db=DB::getInstance();
$sql = "SELECT administrators.AdminId, AdminEmail, LastName, FirstName, PrimaryPhone, CellPhone, administrators.Status, LoginDateTime, RoleName FROM administrators INNER JOIN permissions on permissions.AdminId=administrators.AdminId INNER JOIN roles on roles.RoleId=permissions.RoleId INNER JOIN sessions on sessions.AdminId=administrators.AdminId WHERE Status=:Status ";

$stmt=$db->prepare($sql);
$stmt->bindParam(':Status',$Status, PDO::PARAM_STR);

$stmt->execute();
return $stmt->fetchAll(PDO::FETCH_OBJ);
}

1 个答案:

答案 0 :(得分:0)

您不能使用标识符的参数(表/列名称等)。您需要适当地清理这些并将它们注入您的查询字符串中。您仍然可以使用参数作为值。我可能还会找到一组可搜索的列。例如

// create a map of field key to column name mappings
$searchCols = array(
    'fn' => 'FirstName',
    'ln' => 'LastName'
);

在显示表单时,您可以使用它来生成选项

<select name="SearchField">
    <?php foreach ($searchCols as $key => $label) : ?>
    <option value="<?= htmlspecialchars($key) ?>"><?= htmlspecialchars($label) ?></option>
    <?php endforeach ?>
</select>

现在使用它来构建您的查询

// you'll probably want some more validation around this
$searchField = $searchCols[$_POST['SearchField']];

$query = sprintf('SELECT LastName, FirstName FROM administrators WHERE Status = :Status AND `%s` = :searchTerm',
    $searchField);

// prepare statement and bind status, etc ...

$stmt->bindParam(':searchTerm', $SearchFor);
相关问题
最新问题