在数据库中搜索产品名称

时间:2013-10-13 01:45:00

标签: php sql database

    <?php include "connect.php"; ?> <br /> <br />

<form action="" method="get">
    Search: <input type="text" name="search">
    <input type="submit">
</form>

<?php
    $get = mysqli_query($connect,"SELECT * FROM $table WHERE NAME = echo $_GET['search']");

    while($row = mysqli_fetch_array($get)) {
        echo $row['NAME']." ".$row['INFO'];
    }
?>

我试图做的是,一旦用户在搜索栏中输入名称并提交它我想要搜索到数据库...我已经尝试过所有内容所以请告诉我一种方法。

2 个答案:

答案 0 :(得分:3)

尝试

$get = mysqli_query($connect,"SELECT * FROM TableName WHERE Name LIKE '%" . $_GET['search'] . "%'");

BUT !!!!

小心SQL injection

我建议使用此方法:

$mysqli = new mysqli(<ServerAddress>,<DatabaseName>,<Password>,<UserName>)
$stmt = $mysqli->prepare("SELECT col1, col2, col3 FROM TableName WHERE Name LIKE") or die($mysqli->error);
$stmt->bind_params('s', "%" . $_GET['search'] . "%");
$stmt->execute() or die ($mysqli->error);
$stmt->bind_result($Col1, $Col2, $Col3);
while($stmt->fetch()):
    ...
endwhile;

这里的代码显然还有很多,但最终它更安全。这也将列绑定到PHP变量,允许您自由使用它们。

答案 1 :(得分:0)

如果您使用$ _GET,则应将$ _GET ['search']设置为等于变量,而不是在查询中使用“echo”。但是,我不会通过带有$ _GET的URL传递搜索,因为它不太安全。尝试将表单方法更改为“post:”

<form action="search.php" method="post">
  <label for="name">Search</label>
  <input type="text" name="name">
  <input type="submit">
</form>

然后后端的“search.php”文件看起来像这样:

<?php
    $name = mysql_real_escape_string(strtolower($_POST['name']));

    $query = "SELECT * FROM $table WHERE name LIKE '%$name%'";
    $run = mysql_query($query);
    $result = mysql_fetch_array($run);

    foreach($item as $result){
      //echo the results how you will 
    }
?>