我试图在PHP中找到一种方法将来自多个下拉框的数据合并为一个SQL语句。我可以让这部分工作。这是SQL查询:
$sql = "
SELECT *
FROM books
WHERE
author = '$bird'
AND genre = '$cat'
AND year= '$mouse'
AND publisher = '$goat'
";
$bird,$cat等是保存每个下拉框中选择的变量。
我的结果好坏参半。 所有四个都将很好地协同工作,所有这些都将单独工作。
所以如果我从作者,流派,年份和出版商中选择,那么按选择它可行,如果我单独选择它们也可以。
但是如果尝试并且只选择两个项目,那么让我们说作者和年份,它不起作用并且可以产生各种不正确的数据。这是完整的代码。任何帮助表示赞赏:
<html>
<head>
<title>My Page</title>
</head>
<body>
<br>
<form name="myform" action="authors3.php" method="POST">
<select name="author" size="2">
<option value="ken davies">ken davies</option>
<option value= "arthur smith">arthur smith</option>
<option value="gill rafferty">gill rafferty</option><br />
<option value="molly brown">molly brown</option><br />
<option value="gilbert riley">gilbert riley</option><br />
<input type = "submit" name = "submit" value = "go">
<select name="genre" size="4">
<option value="adventure">adventure</option>
<option value="biography">biography</option>
<option value="crime">crime</option><br />
<option value="romance">romance</option>
<option value="thriller">thriller</option>
<input type = "submit" name = "submit" value = "go">
<select name="year" size="4">
<option value="2002">2002</option>
<option value="2003">2003</option>
<option value="2004">2004</option>
<option value="2005">2005</option>
<option value="2006">2006</option>
<option value="2007">2007</option>
<option value="2008">2008</option>
<input type = "submit" name = "submit" value = "go">
<select name="publisher" size="4">
<option value="blue parrot">blue parrot</option>
<option value="yonkers">yonkers</option>
<option value="zoot">zoot</option>
<input type = "submit" name = "submit" value = "go">
<?php
$bird = (!empty($_POST['author'])) ? $_POST['author'] : null;
$cat = (!empty($_POST['genre'])) ? $_POST['genre'] : null;
$mouse = (!empty($_POST['year'])) ? $_POST['year'] : null;
$goat = (!empty($_POST['publisher'])) ? $_POST['publisher'] : null;
$con = mysql_connect("localhost","root","");
If (!$con) {
die("Can not Connect with database" . mysql_error());
}
mysql_select_db("authors",$con);
if (isset($bird) && isset($cat) && isset($mouse) && isset($goat)){
$sql = "SELECT * FROM books WHERE author = '$bird'
AND genre = '$cat' AND year = '$mouse' AND
publisher = '$goat' ";
}
else if (isset($bird)) {
$sql = "SELECT * FROM books WHERE author = '$bird' ";
}
else if (isset($cat)) {
$sql = "SELECT * FROM books WHERE genre = '$cat' ";
}
else if (isset($mouse)) {
$sql = "SELECT * FROM books WHERE year = '$mouse' ";
}
else if (isset($goat)) {
$sql = "SELECT * FROM books WHERE publisher = '$goat' ";
}
$myData = mysql_query($sql,$con);
echo"<table border=1>
<tr>
<th>id</th>
<th>author</th>
<th>title</th>
<th>publisher</th>
<th>year</th>
<th>genre</th>
<th>sold</th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<tr>";
echo "<td>" . $record['id'] . "</td>";
echo "<td>" . $record['author'] . "</td>";
echo "<td>" . $record['title'] . "</td>";
echo "<td>" . $record['publisher'] . "</td>";
echo "<td>" . $record['year'] . "</td>";
echo "<td>" . $record['genre'] . "</td>";
echo "<td>" . $record['sold'] . "</td>";
echo "<tr />";
}
echo "</table>";
mysql_close($con);
?>
note: all four are working<br />
all work individually<br />
two or three dont work together
</form>
</body>
</html>
答案 0 :(得分:0)
除了你使用一种不推荐的方式连接到MySQL(读取SQL注入和PDO)之外,你还没有涵盖代码中的所有用例。
更好的方法可能是编写基本查询($q = 'SELECT * FROM books WHERE),并使用适当的额外WHERE子句扩展该查询,具体取决于检查参数是否为空(if (!empty($goat)) // append new clause to the WHERE portion)。
答案 1 :(得分:0)
你的查询是半罚款。您的声明是您问题的原因!原因是你基本上是这样做的:
genre ='adventure' and year = null.
您要做的是相应地编辑您的查询。所以你想做
if (!is_null($year)) {
$sql.= "AND Year = $year";
}
问题是以上方法允许注射!!如果你被证实是一个很大的问题!!!!
所以我建议使用bind_params但是说在bind_params上调用cal_user_func_array有点棘手,所以我建议使用PDO来编辑查询并安全有效地管理参数