从多个用户提供的MySQL搜索where子句 - 修复和更好的算法

时间:2013-09-22 04:12:10

标签: php mysql sql algorithm where

我想运行搜索查询,其中我有多个where子句。和倍数取决于用户参数。

例如,我的意思是,在我的情况下,搜索可能依赖于1列,2列,3列或6列,并且我不希望以所有列概率运行if-elseif-else语句。所以,我刚刚建立了以下功能,但是我遇到and案件之间的multiple column search。以下是我的代码: - 

function listPlayer($player="player_guest", $group="group_guest",
$weapon="weapon_guest", $point="point_guest", $power="level_guest",
$status="status_guest") {

    $lePlayer = (isset($player) && $player != "player_guest") ?
            'player= '.$mysqli->real_escape_string($player).' and' : '';

    $leGroup = (isset($group) && $group != "group_guest") ?
            'group= '.$mysqli->real_escape_string($group).' and' : '';

    $leWeapon = (isset($weapon) && $weapon != "weapon_guest") ?
            'weapon= '.$mysqli->real_escape_string($weapon).' and' : '';

    $lePoint = (isset($point) && $point != "point_guest") ?
            'point= '.$mysqli->real_escape_string($point).' and' : '';

    $lePower = (isset($power) && $power != "level_guest") ?
            'level= '.$mysqli->real_escape_string($power).' and' : '';

    $leStatus = (isset($status) && $status != "status_guest") ?
            'status= '.$mysqli->real_escape_string($status).' and' : '';

    $query = "Select pid, name from game where {$lePlayer} {$leGroup} {$leWeapon} {$lePoint} {$lePower} {$leStatus} ";

    $runQuery = $mysqli->query($query);
}

但最后问题是and。如果我使用它们,那么最后我会额外加and,如果我不使用它们,那又是一个错误。

有人可以帮助我修复并找到更好的方法。

更新:我的更新代码,如果有人需要,可以使用{感谢Barmar 

function listPlayer($player="player_guest", $group="group_guest",
$weapon="weapon_guest", $point="point_guest", $power="level_guest",
$status="status_guest") {

    $lePlayer = (isset($player) && $player != "player_guest") ?
            'player= '.$mysqli->real_escape_string($player) : '' ;

    $leGroup = (isset($group) && $group != "group_guest") ?
            'group= '.$mysqli->real_escape_string($group) : '' ;

    $leWeapon = (isset($weapon) && $weapon != "weapon_guest") ?
            'weapon= '.$mysqli->real_escape_string($weapon) : '' ;

    $lePoint = (isset($point) && $point != "point_guest") ?
            'point= '.$mysqli->real_escape_string($point) : '' ;

    $lePower = (isset($power) && $power != "level_guest") ?
            'level= '.$mysqli->real_escape_string($power) : '' ;

    $leStatus = (isset($status) && $status != "status_guest") ?
            'status= '.$mysqli->real_escape_string($status) : '' ;

    $condition_array = ( $lePlayer , $leGroup , $leWeapon , $lePoint , $lePower , $leStatus)

    $condition_stirng = implode(' and ', $condition_array);

    $query = "Select pid, name from game where ".$condition_stirng;

    $runQuery = $mysqli->query($query);

    }

更新

我的电子邮件中有人收到邮件,说我的代码很容易受到SQL注入攻击。这是POC http://www.worldofhacker.com/2013/09/interesting-sql-vulnerable-code-even.html

由于

4 个答案:

答案 0 :(得分:1)

将所有条件放在数组中。然后将它们与:

结合起来 
$condition_string = implode(' and ', $condition_array);

答案 1 :(得分:0)

简单的解决方案是在结尾修剪“和”:

$query = substr($query, 0, strlen($query) - 3);

但更有效的方法是将它们放在循环中,如下所示:

$wheres = array("player_guest"=>$player, "group_guest"=>$group.....);
$query_where = "";
$i = 0;
foreach($wheres as $where=>$value){
    list($condition, $null) = explode("_",$where);
    if(isset($value)){
        $query_where .= $condition . "='" . $mysqli->real_escape_string($value)."'";
        if($i != sizeof($wheres)){
            $query_where .= " and ";
        }
    }
    $i++;
}

这可以扩展到任何数量的条件,并且最后不需要额外的字符串函数。

答案 2 :(得分:0)

请注意,确保您的条件有效需要$defaults。有点重复,但这都归功于你的功能声明。

function listPlayer(
    $player="player_guest",
    $group="group_guest",
    $weapon="weapon_guest",
    $point="point_guest",
    $power="level_guest",
    $status="status_guest") {

    //I'm just copying whatever is in the default parameters ;)
    $defaults = array(
        'player' => 'player_guest',
        'group' => 'group_guest',
        'weapon' => 'weapon_guest',
        'point' => 'point_guest',
        'power' => 'level_guest',
        'status' => 'status_guest'
    );

    //Set all user parameters into an array, easier to loop through
    $data = compact(array_flip($defaults));

    //Then we build conditions
    $conditions = array();
    foreach($data as $k => $v) {
        if ($defaults[k] !== $v) {
            $v = $mysqli->real_escape_string($v);
            $conditions[] = "$k='$v'";
        }
    }

    //And build query
    $query = "SELECT pid, name FROM game WHERE ".implode(" AND ", $conditions);
    $runQuery = $mysqli->query($query);
}

答案 3 :(得分:0)

首先,我建议您在PHP中使用MySQL时查看PDO

这些任务总是通过阵列图解决。

function listPlayer($player = null, $group = null, $weapon = null, $point = null, $power = null, $status = null) {
    $defaults = array(
        'player' => 'player_guest',
        'group' => 'group_guest',
        'weapon' => 'weapon_guest',
        'point' => 'point_guest',
        'status' => 'status_guest',
    );
    $values = compact(array_keys($defaults));

    $filtered = array_filter(array_diff_assoc($values, $defaults)); //firstly filtering out defaults, then - nulls.

    $where = '';
    foreach($filtered as $column => $value){
        if($where){
            $where .= ' AND ';
        }
        $where .=  sprintf("`%s` = '%s'", $column, $mysqli->real_escape_string($value));
    }

    $query = "SELECT pid, name FROM game WHERE $where";
    //executing...
}
相关问题
最新问题