MySQL搜索查询错误

时间:2014-05-06 20:06:50

标签: php mysql

我正在尝试创建一个表单,允许用户使用Venue和类别字段搜索事件,这些字段编写为下拉框和Price,最后按事件标题编写,如输入关键字时通过代码显示它匹配数据库中的字段,如果在任一搜索字段上进行了匹配,它应该输出该事件的所有相关信息,但无论我在搜索字段中键入什么,它似乎都会从数据库输出每个事件。

数据库:http://i.imgur.com/d4uoXtE.jpg

HTML表格

    <form name="searchform" action ="PHP/searchfunction.php" method = "post" >
<h2>Event Search:</h2>
Use the Check Boxes to indicate which fields you watch to search with
<br /><br />
<h2>Search by Venue:</h2>

<?php
echo "<select name = 'venueName'>";
$queryresult2 = mysql_query($sql2) or die (mysql_error());
while   ($row = mysql_fetch_assoc($queryresult2))  {
echo "\n";
$venueID = $row['venueID'];
$venueName = $row['venueName'];
echo "<option value = '$venueID'";
echo ">$venueName</option>";
}# when the option selected matches the queryresult it will echo this

echo "</select>";
mysql_free_result($queryresult2);
mysql_close($conn);
?>
<input type="checkbox" name="S_venueName">
<br /><br />
<h2>Search by Category:</h2>
<?php
include 'PHP/database_conn.php';

$sql3 ="SELECT catID, catDesc
FROM te_category";

echo "<select name = 'catdesc'>";
$queryresult3 = mysql_query($sql3) or die (mysql_error());
while   ($row = mysql_fetch_assoc($queryresult3))  {
echo "\n";
$catID = $row['catID'];
$catDesc = $row['catDesc'];
echo "<option value = '$catID'";
echo ">$catDesc </option>";
}

echo "</select>";
mysql_free_result($queryresult3);
mysql_close($conn);
?>
<input type="checkbox" name="S_catDes">
<br /><br />

<h2>Search By Price</h2>
<input type="text" name="S_price" />
<input type="checkbox" name="S_CheckPrice">
<br /><br />

<h2>Search By Event title</h2>
<input type="text" name="S_EventT" />
<input type="checkbox" name="S_EventTitle">
<br /><br />
<input name="update" type="submit" id="update" value="Search">

searchfunction.php文件

<?php
$count = 0;
include 'database_conn.php';


$venuename = $_REQUEST['venueName']; //this is an integer
$catdesc = $_REQUEST['catdesc']; //this is a string
$Price = $_REQUEST['S_price'];
$EventT = $_REQUEST['S_EventT'];



$sql = "select * FROM te_events WHERE venueID LIKE '%$venuename%' OR catID LIKE '%$catdesc%' OR          eventPrice LIKE '%Price%' OR eventTitle LIKE '%$EventT%'";

$queryresult = mysql_query($sql) or die (mysql_error());
while ($row = mysql_fetch_assoc($queryresult))
{
    echo $row['eventTitle'];
    echo $row['eventDescription'];
    echo $row['venueID'];
    echo $row['catID'];
    echo $row['eventStartDate'];
    echo $row['eventEndDate'];
    echo $row['eventPrice'];
}

mysql_free_result($queryresult);
mysql_close($conn);

?>

3 个答案:

答案 0 :(得分:0)

由于您在通配符包围的任何字段上进行匹配,如果任何字段为空,则MySQL查询将匹配所有行。

此外,您需要阻止MySQL注入。否则,您的MySQL表最终会被黑客攻击。

顺便说一句,代码eventPrice LIKE '%Price%'无效且缺少美元符号。

最后,mysql扩展程序已被弃用。我建议使用mysqli,因为它非常相似。

答案 1 :(得分:0)

查询应该是 $ sql =&#34;选择* FROM te_events WHERE(场所ID LIKE&#39;%$ venuename%&#39; 或类似猫咪&#39;%$ catdesc%&#39; 或者eventPrice LIKE&#39;%$ Price%&#39; 或者eventTitle LIKE&#39;%$ EventT%&#39;) ;

答案 2 :(得分:0)

要从使用方法POST提交的表单中获取值,我们使用$_POST来访问表单数据,而不是$_REQUEST

$venuename = $_POST['venueName']; //this is an integer
$catdesc = $_POST['catdesc']; //this is a string
$Price = $_POST['S_price'];
$EventT = $_POST['S_EventT'];

这是关于你的问题 - 现在一些重要的注意事项:
不要使用mysql扩展名,因为它已被弃用。阅读this official documentation
使用mysqli并通过再次使用official documentation中的准备查询和参数来阻止SQL注入。

相关问题
最新问题