使用html表单在多列中搜索

时间:2016-03-20 22:50:56

标签: php sql mysqli

工作代码:)

这是正确的方法吗?或者我错过了一些更多的安全码?

出了什么问题?第一个if条件是:if(isset($ _ POST [' submit']){

The code..

}

我不知道如何工作,但我将其更改为下面的代码,现在它可以正常工作!! :)

<?php

                    if (isset($_POST['username']) || isset($_POST['locatie']) || isset($_POST['geslacht']) || isset($_POST['online'])) {

                        $name = mysqli_real_escape_string($server, $_POST['username']); 
                        $waar = mysqli_real_escape_string($server, $_POST['locatie']);
                        $sex = mysqli_real_escape_string($server, $_POST['geslacht']);  
                        $status = mysqli_real_escape_string($server, $_POST['online']);

                        $sql= "SELECT * FROM users WHERE 1=1";
                            if (isset($_POST['username'])) {
                                $name = $_POST['username'];
                                $sql .= " and username LIKE '%$name%'";
                            }

                            if (isset($_POST['locatie'])) {
                                $name = $_POST['locatie'];
                                $sql .= " and locatie LIKE '%$waar%'";
                            }

                            if (isset($_POST['geslacht'])) {
                                $name = $_POST['geslacht'];
                                $sql .= " and geslacht LIKE '%$sex%'";
                            }

                            if (isset($_POST['online'])) {
                                $name = $_POST['online'];
                                $sql .= " and online LIKE '%$status%'";
                            }

                                $sql .= " ORDER BY RAND()";

                        $result_set=mysqli_query($server,$sql) or die(mysqli_error($server));

                            //echo $sql;
                            echo '<div class="col-sm-12">';

                        while($row=mysqli_fetch_array($result_set)) {
                            echo '<div class="col-sm-2">';
                            echo '<center><img class="img-vrienden" src=' . $row['prof_pic'] . ' /><br>' . $row['username'].'</center>';
                            echo '</div>';
                        }
                            echo '</div>';   
                    }
                ?>

3 个答案:

答案 0 :(得分:2)

echo()中无法echo()

echo '<img class="img-vrienden" src="echo $row["prof_pic"]" /><br>
echo $row["username"]';

您需要使用.将变量连接到变量,这是PHP concat运算符:

echo '<img class="img-vrienden" src="' . $row["prof_pic"] . '" /><br>' . $row["username"];

您需要<input type="submit"而不是<button>

此:

<button name="submit" type="submit" class="button">

应该是:

<input type="submit" name"submit">

注意:您的代码容易受到SQL注入攻击,最好使用mysqli_real_escape_string来转义输入:

$name = mysqli_real_escape_string($server, $_POST['username']); 
$waar = mysqli_real_escape_string($server, $_POST['omgeving']);
$sex = mysqli_real_escape_string($server, $_POST['geslacht']);  
$status = mysqli_real_escape_string($server, $_POST['status']);

答案 1 :(得分:1)

如果您需要所有条件,请使用“和”,而不是“或”

但是更好的构建sql where子句动态,测试isset parms如下:

$sql= "SELECT * FROM users WHERE 1=1";
if isset($_POST['username']) {
  $name = $_POST['username'];
  $sql .= " and username LIKE '%$name%'";
}

答案 2 :(得分:0)

我修好了!!!而且效果很好..!向@Adam Silenko喊出动态where子句.. :))

AND @luweiqi感谢SQL注入帮助和<input>而不是<button>

相关问题
最新问题