发送没有特殊字符的表单。

时间:2014-08-27 23:11:07

标签: php

我知道这很简单,但我一直在寻找答案。我想我可能过度思考并且过于复杂。

有一个表单发送一个get请求来填充一个列表页面,我注意到当我有URL String =

  

.. /view.php?keyword=a+b 一切都很棒。

但是,当用户在表单上输入特殊字符并且网址更改为:

  

.. /view.php?keyword=a+%2Cb 我没有返回值。

我尝试过使用urlencode()规则以及FILTER_SANITIZE_ENCODED,但是无法看到让代码与特殊章程一起使用。我还确保使用字符集UTF-8。

如何让get请求忽略url中的特殊章程?

代码:

  <?php


    if (isset($_REQUEST["water-selection"]) || isset($_REQUEST["city-selection"]) || isset($_REQUEST["bed-selection"]) || isset($_REQUEST["bath-selection"]) || isset($_REQUEST["keyword"]) || isset($_REQUEST["price"]) || isset($_REQUEST["pending"])){
        $where = " WHERE 1=1 ";
        if (isset($_REQUEST["water-selection"]) && $_REQUEST["water-selection"]!="Water Selection"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_RESIBDWR = '" . $_REQUEST["water-selection"] . "'";
        }
        if (isset($_REQUEST["city-selection"]) && $_REQUEST["city-selection"]!="City Selection"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_City = '" . $_REQUEST["city-selection"] . "'";
        }
        if (isset($_REQUEST["bed-selection"]) && $_REQUEST["bed-selection"]!="Bed(s)"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_Bedrooms >= '" . $_REQUEST["bed-selection"] . "'";
        }
        if (isset($_REQUEST["bath-selection"]) && $_REQUEST["bath-selection"]!="Bath(s)"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_Bathrooms >= '" . $_REQUEST["bath-selection"] . "'";
        }


if (isset($_GET['keyword']) && '' !== trim($_GET['keyword'])) {
  $terms = explode(' ', $_GET['keyword']);
  $fields = array('ZipCode', 'MLNumber', 'RESIBDWR',
    'ListingOfficeName', 'RESIADDI', 'MarketingRemarks',
    'StreetNumber', 'StreetDirection', 'StreetName', 'StreetSuffix', 'State');
  $criteria = array();
  foreach ($terms as $term) {
    if (!$term) continue;
    $term = @mysql_real_escape_string($term);
    $c = array();
    foreach ($fields as $field) {
      $c[] = 'field_'.$field.' LIKE \'%'.$term.'%\'';
    }

    $criteria[] = implode(' OR ', $c);
  }


  if ($criteria) {
    $condition = '('.implode(")\nAND (", $criteria).')';
    if ($where) $where .= ' AND ('.$condition.')';
    else $where = $condition;
  }
}



        if (isset($_REQUEST["price"])){
            $price = explode(";",urldecode($_REQUEST["price"]));
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_ListingPrice between " . $price[0] . " AND " . $price[1] . " ";
        }
        if (isset($_REQUEST["pending"])){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_Status = 'Pending'";
        }
    }
    else{
        $where = " WHERE `field_ZipCode` IN (SELECT zip FROM zipcodes)";
    }


    $sql = "SELECT count(id) as count FROM rc_Data $where";

  $res = mysql_query($sql,$con) or die('Query failed: ' . mysql_error() . "<br />\n$sql");
    $records_per_page = 10;

    while($row = mysql_fetch_array($res)){
        $total_rec = $row["count"];
    }

    $total_pages = ceil($total_rec / $records_per_page);

    $curr_page = 1;

    if (isset($_REQUEST["page"])){$curr_page=$_REQUEST["page"];}

    $start_index = ($curr_page-1) * $records_per_page;
    if ($start_index  <0) {$start_index = 0;}
    //$sql = "SELECT *, round(3956 *2 * ASIN( SQRT( POWER( SIN( ( {$lati} - field_Latitude ) * pi( ) /180 /2 ) , 2 ) + COS( {$lati} * pi( ) /180 ) * COS( field_Latitude * pi( ) /180 ) * POWER( SIN( ( {$longi} - field_Longitude) * pi( ) /180 /2 ) , 2 ) ) ),0) AS distance FROM rc_Data order by distance, (`field_ListingAgentMLSID` = 'H10207') DESC, `field_ListingAgentMLSID`, field_ListingPrice DESC, id desc limit {$start_index}, {$records_per_page}";
    //$sql = "SELECT *, round(3956 *2 * ASIN( SQRT( POWER( SIN( ( {$lati} - field_Latitude ) * pi( ) /180 /2 ) , 2 ) + COS( {$lati} * pi( ) /180 ) * COS( field_Latitude * pi( ) /180 ) * POWER( SIN( ( {$longi} - field_Longitude) * pi( ) /180 /2 ) , 2 ) ) ),0) AS distance FROM rc_Data order by (`field_ListingAgentMLSID` = 'H10207') DESC, `field_ListingAgentMLSID`, distance, field_ListingPrice DESC, id desc limit {$start_index}, {$records_per_page}";
    $sql = "SELECT *, round(3956 *2 * ASIN( SQRT( POWER( SIN( ( {$lati} - field_Latitude ) * pi( ) /180 /2 ) , 2 ) + COS( {$lati} * pi( ) /180 ) * COS( field_Latitude * pi( ) /180 ) * POWER( SIN( ( {$longi} - field_Longitude) * pi( ) /180 /2 ) , 2 ) ) ),0) AS distance FROM rc_Data  $where order by (`field_ListingAgentMLSID` = 'H10207') DESC, field_ListingPrice DESC limit {$start_index}, {$records_per_page}";
    $res = mysql_query($sql,$con) or die('Query failed: ' . mysql_error() . "<br />\n$sql");
    //echo $sql;

    unset($_GET['page']);
    $qs = http_build_query($_GET);
?>

1 个答案:

答案 0 :(得分:2)

我认为编码不是问题。

在这一行:

$terms = explode(' ', $_GET['keyword']);

您只根据空格分解查询字符串keyword变量。

如果您将keyword=a+%2Cb作为参数发送,则可以通过回显$_GET['keyword']看到它自动转换为a ,b

因此,当您按空格分割时,您会得到两个词:a ,b ,这不是您想要的。

稍后您使用$terms

foreach ($fields as $field) {
  $c[] = 'field_'.$field.' LIKE \'%'.$term.'%\'';
}

所以你基本上使用where LIKE '%a%' 添加sql LIKE '%,b%'约束。

您必须定义要分割keyword的分隔符,例如:

$ terms = explode(&#39;,&#39;,$ _GET [&#39; keyword&#39;]);

会使 第二个示例正常工作(即生成LIKE '%a%'LIKE '%b%')。

修改

更强大的explode形式是preg_split。试试这个:

$terms = preg_split("/[\s,]+/", $_GET['keyword']);
相关问题
最新问题