Question

我无法弄清楚为什么这个sql查询不起作用以及为什么它不会过滤来自URL的关键字。

这是我的代码：

include("menujednoty.php");
$hostname="localhost";  
$username="kintrogorgo";  
$password="password";  
$keyword = $_GET['a.tovar'];
$db = "jednoty";  
$dbh = new PDO("mysql:host=$hostname;dbname=$db", $username, $password);  
foreach($dbh->query  ('SELECT a.tovar ,
( select sum(b.kusy) from jednotypredaj as b where b.tovar=a.tovar and b.co="prijem" ) as prijem_ks,
( select sum(c.kusy) from jednotypredaj as c where c.tovar=a.tovar and c.co="predaj" ) as predaj_ks, kod
FROM jednotypredaj WHERE
 (a.tovar LIKE '%$keyword%' ) as a GROUP BY a.tovar ORDER by a.tovar ASC') as $row)
 {     
     echo "<tr>"; 
     echo "<td>" . $row['tovar'] . "</td>";  
     echo "<td>" . $row['prijem_ks']. "</td>";  //Tu by mali bit predane kusy
     echo "<td>" . $row['predaj_ks'] . "</td>"; 
     echo "<td>" . $row['kod'] . "</td>";  

     echo "<td>" . ($row['predaj_ks']-$row['prijem_ks'] . "</td>");
     echo "<td>" . (100/$row['prijem_ks']*$row['predaj_ks']  . "</td>");
     echo '<td><a href="3edit.php?tovar=' . $row['tovar'] . '">Zobraziť</a></td>';
     //echo '<td><a href="3test.php?tovar=' . $row['tovar'] . '">In Development</a></td>';
     //echo '<td><a href="3testtest.php?tovar=' . $row['tovar'] . '">In Development 2</a></td>';

Answer 1

引号打破了SQL语法，重写为准备好的语句以使其更容易：

$stmt = $dbh->prepare('SELECT a.tovar ,
    ( select sum(b.kusy) from jednotypredaj as b 
      where b.tovar=a.tovar and b.co=:received ) as prijem_ks,
    ( select sum(c.kusy) from jednotypredaj as c
       where c.tovar=a.tovar and c.co=:paid ) as predaj_ks, kod
    FROM jednotypredaj WHERE
    (a.tovar LIKE :keyword ) as a 
    GROUP BY a.tovar ORDER by a.tovar ASC');

$stmt->execute(array('received' => 'prijem','paid' => 'predaj','keyword' => $keyword));

foreach ($stmt as $row) {
  echo "<tr>"; 
  echo "<td>" . $row['tovar'] . "</td>";  
  ...

Answer 2

重新考虑您的SQL语句，因为您可以运行相关子查询或条件聚合。此外，您的表别名a在WHERE子句后错误定位：

相关子查询（保留单位级别记录kod列）

SELECT a.tovar, 
      (select sum(b.kusy) from jednotypredaj as b 
       where b.tovar=a.tovar and b.co='prijem') as prijem_ks, 
      (select sum(c.kusy) from jednotypredaj as c 
       where c.tovar=a.tovar and c.co='predaj') as predaj_ks, 
       a.kod 
FROM jednotypredaj as a
WHERE (a.tovar LIKE '%$keyword%') 
ORDER by a.tovar ASC

条件聚合（除非作为一个群体添加，否则按照kod的汇总记录进行分组）

SELECT a.tovar, 
      SUM(CASE WHEN a.co='prijem' THEN a.kusy ELSE NULL END) as prijem_ks, 
      SUM(CASE WHEN a.co='predaj' THEN a.kusy ELSE NULL END) as predaj_ks
FROM jednotypredaj as a
WHERE (a.tovar LIKE '%$keyword%')
GROUP BY a.tovar
ORDER by a.tovar ASC

如果您的实例关闭了ONLY_FULL_GROUP_BY设置但是不建议使用ANSI，则MySQL可能允许kod子句中的SELECT而不是聚合查询的GROUP BY子句中的<?xml version="1.0" encoding="utf-8"?> <RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:layout_width="match_parent" android:layout_height="match_parent" xmlns:app="http://schemas.android.com/apk/res-auto" android:paddingBottom="@dimen/activity_vertical_margin" android:paddingLeft="@dimen/activity_horizontal_margin" android:paddingRight="@dimen/activity_horizontal_margin" android:paddingTop="@dimen/activity_vertical_margin" tools:context="com.anna.DiscoverActivity"> <android.support.v7.widget.SearchView android:id="@+id/searchview" app:queryHint="Search HoodMark" android:background="@color/colorAccent" android:layout_width="match_parent" android:layout_height="wrap_content"/> <ListView android:layout_below="@id/searchview" android:id="@+id/discover_list" android:divider="@color/colorAccent" android:dividerHeight="4px" android:layout_width="match_parent" android:layout_height="wrap_content"> </ListView> </RelativeLayout>` -SQL兼容。

如上所述，在PHP脚本中对这些查询进行参数化，绑定字符串文字，这有助于避免引用处理和SQL注入。

为什么这个SQL命令不起作用？

2 个答案: