如何将LIKE'%%'转换为用户输入

时间:2013-10-03 11:30:39

标签: php sql sql-server-2008

嗨我正在尝试创建一个商店定位器和零件查找器,ATM我有一个SQL查询使用LIKE获得所有答案,其中有1连接到php输入以及我将如何更改LIKE'% %'子句来自于特定于用户放入表单中的任何内容,但是获得与之类似的结果相同的结果,因此如果我键入1,则显示所有部分,如果我键入4则表示相同。我的代码是:

<head>
        <?php
        $serverName = "127.0.0.0";
        $connectionInfo = array( "Database"=>"db", "UID"=>"id", "PWD"=>"pwd");
        $conn = sqlsrv_connect( $serverName, $connectionInfo );
        if( $conn === false ) 
        {
            die( print_r( sqlsrv_errors(), true));
        }
        $sql = "SELECT     dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
                           dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances
                FROM       dbo.Customer INNER JOIN
                           CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
                           dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN
                           Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company
                WHERE      Part.partnum LIKE '%%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150)
                ORDER BY   distances ";

        $stmt = sqlsrv_query( $conn, $sql );
        if( $stmt === false) 
        {
            die( print_r( sqlsrv_errors(), true) );
        }
        while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC) ) {
        echo $row['name']."<br/>".$row['address1']."<br/>".$row['state']."<br/>".$row['zip']."<br/>".$row['phonenum']."<br/>".$row['distances']."<br/>".$row['partnum']."<br/>"
        .$row['description']."<br/>";
        }
        sqlsrv_free_stmt( $stmt);
        ?>
</head>
    <body>
        part = <?php echo $_POST["part"];?>
    </body>

1 个答案:

答案 0 :(得分:0)

首先,我建议你使用PDO而不是sqlsrv_*()函数。这是一个例子:

$sql = "SELECT     dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
                           dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances
                FROM       dbo.Customer INNER JOIN
                           CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
                           dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN
                           Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company
                WHERE      Part.partnum LIKE '%?%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150)
                ORDER BY   distances ";
$dbh = new PDO('sqlsrv:Server=localhost;Database=testdb', DB_USER, DB_PASS);
$stmt = $dbh->prepare($sql);
$stmt->execute(array($_GET['users_input']));

execute()被调用时,我添加到您的查询中的?将被数组中的值替换。有关详细信息,请参阅http://www.php.net/manual/en/pdo.prepared-statements.php

显然,您可能希望在将用户输入传递到execute()之前验证用户输入。