我正在尝试使用从数据库中的其他表填充的一系列下拉框来过滤我的结果,除了从表单返回的主要选项*
目前,表单按预期提交数据,但不返回任何结果。我怀疑是因为查询在相应列中搜索*。
所以问题是,星号可以用作WHERE语句中的通配符吗? 如果没有,我将如何解决这个问题呢?
包含了违规代码,我知道在查询中使用$variable是不好的做法,但在这个阶段我正在寻找功能性解决方案,而不是生产代码。
欢呼声。
echo " <form method=\"post\" action=\"$self\">
<table>
<tr>
<th>ID</th>
<th>REGISTER</th>
<th>LOCATION</th>
<th>TYPE</th>
<th>CAPACITY</th>
<th>LENGTH</th>
<th>QTY</th>
<th>SERIAL#</th>
<th>CERT#</th>
<th>LAST INSPECTION</th>
<th>BY</th>
<th>DATE IN</th>
<th>DATE OUT</th>
<th>STATUS</th>
<th>NOTES</th>
</tr>";
?>
<!-- START OF FILTER ROW -->
<tr>
<td></td>
<td> <select name="register" id="register">
<option value="*">---</option>
<?php
$sql = "SELECT * FROM valid_registers";
foreach ($dbh->query($sql) as $row)
{
echo "<option value\"" . $row['register'] . "\">" . $row['register'] . "</option>";
}
?>
</select></td>
<td> <select name="location" id="location">
<option value="*">---</option>
<?php
$sql = "SELECT * FROM valid_locations";
foreach ($dbh->query($sql) as $row)
{
echo "<option value\"" . $row['location'] . "\">" . $row['location'] . "</option>";
}
?>
</select></td>
<td> <select name="type" id="type">
<option value="*">---</option>
<?php
$sql = "SELECT * FROM valid_types";
foreach ($dbh->query($sql) as $row)
{
echo "<option value\"" . $row['type'] . "\">" . $row['type'] . "</option>";
}
?>
</select> </td>
<td><input type="radio" name="capacity" id="cap_asc" value="cap_asc">
<
<input type="radio" name="capacity" id="cap_dec" value="cap_dec">
></td>
<td><input type="radio" name="length" id="length_asc" value="length_asc">
<
<input type="radio" name="length" id="length_des" value="length_des">
></td>
<td> </td>
<td> </td>
<td> </td>
<td><input type="radio" name="lastinsp" id="lastinsp_asc" value="lastinsp_asc">
<
<input type="radio" name="lastinsp" id="lastinsp_dec" value="lastinsp_dec">
></td>
<td> </td>
<td><input type="radio" name="datein" id="datein_asc" value="datein_asc">
<
<input type="radio" name="datein" id="datein_dec" value="datein_dec">
></td>
<td><input type="radio" name="dateout" id="dateout_asc" value="dateout_asc">
<
<input type="radio" name="dateout" id="dateout_dec" value="dateout_dec">
></td>
<td> <select name="status" id="status">
<option value="*">---</option>
<?php
$sql = "SELECT * FROM valid_status";
foreach ($dbh->query($sql) as $row)
{
echo "<option value\"" . $row['status'] . "\">" . $row['status'] . "</option>";
}
?>
</select> </td>
<td> </td>
<td><input type="submit" name="submit_filter" id="submit_filter" value="Filter"></td>
</tr>
<!--END OF FILTER ROW -->
<?
//get data from the db
if(isset($_POST['submit_filter'])) {
//fetch filter options
$register = $_POST['register'];
$location = $_POST['location'];
$type = $_POST['type'];
$status = $_POST['status'];
//prepare and execute the query
$sql = "SELECT * FROM register WHERE register=$reigster AND location=$location AND type=$type AND status=$status ";
}
else { $sql = "SELECT * FROM register"; }
foreach ($dbh->query($sql) as $row)
{
echo "<tr>";
echo "<td>" . $row['id'] . "</td>";
echo "<td>" . $row['register'] . "</td>";
echo "<td>" . $row['location'] . "</td>";
echo "<td>" . $row['type'] . "</td>";
echo "<td>" . $row['capacity'] . "</td>";
echo "<td>" . $row['length'] . "</td>";
echo "<td>" . $row['qty'] . "</td>";
echo "<td>" . $row['serial'] . "</td>";
echo "<td>" . $row['cert'] . "</td>";
echo "<td>" . $row['lastinsp'] . "</td>";
echo "<td>" . $row['inspby'] . "</td>";
echo "<td>" . $row['datein'] . "</td>";
echo "<td>" . $row['dateout'] . "</td>";
echo "<td>" . $row['status'] . "</td>";
echo "<td>" . $row['notes'] . "</td>";
echo "<td><a href='" . $self . "?edit=" . $row['id'] . "'>Edit</a></td>";
//echo "<td><input type=\"submit\" name=\"edit\" id=\"edit\" value=\"Edit\" /></td>";
echo "<td><a href='" . $self . "?delete=" . $row['id'] . "'>Delete</a></td>";
//echo "<td><input type=\"submit\" name=\"delete\" id=\"delete\" value=\"Delete\" /></td>";
echo "</tr>";
}
echo "</table></form>";
}
答案 0 :(得分:0)
不,*实际上只在选择的列中有效,不在where子句中。
执行此操作的常用方法是从表单中捕获*并使用它来通过完全删除where子句的那一部分来修改实际的SQL语句,类似于(伪代码) ):
if param['userid'] == '*':
query = 'select name from users'
else:
query = 'select name from users where id = ?'
虽然我已经看到参数化查询需要一致数量的参数而不考虑野外梳理的情况(在一些BIRT报告中,我已经查看了动态修改查询的位置但是参数count很难改变),所以你会得到类似的东西:
if param['userid'] == '*':
query = 'select name from users where (id = ? or 1 = 1)'
else:
query = 'select name from users where id = ?'
这有点像kludge,但它有时用于减轻开发人员的工作量。我宁愿尽可能以第一种方式去做。
要为多个条件执行此操作,您可以执行以下操作:
joiner = " where "
query = "select something from mytable"
if param['userid'] != '*':
query = query + joiner + "user_id = '" + param['id'] + "'"
joiner = " and "
if param['age'] != '*':
query = query + joiner + "user_age = " + param['age']
joiner = " and "
if param['gender'] != '*':
query = query + joiner + "user_sex = '" + param['gender'] + "'"
joiner = " and "
请记住,除非您已经清理了param[]数组值,否则会冒SQL注入攻击的风险。我省略了解决方案,因为它与手头的问题无关。