我在我的网站上创建了一个高级搜索功能来搜索。我有5个字段可用于搜索特定帐户(姓氏,姓名,用户名,注册日期和帐户排名),并且所有字段的选项必须匹配,或者1(或更多)字段必须匹配。用户输入的值通过Javascript发布到PHP文件。然后PHP文件完成搜索。
目前," AND"搜索作为空白值不会影响搜索结果,因为其他值仍必须匹配。然而," OR"并不是因为空的搜索框会导致其他记录显示,因为它们匹配" LIKE%"。$ Variable。"%"当变量为空时搜索。
我需要找出一种方法让系统忽略空盒子,但是,我很难找到一种合适的方法,它可以在不引起SQL代码错误的情况下工作,其中" OR"用在错误的地方。所以任何建议都会很好。
提前致谢, 汤姆
PHP
<?php
//Retrieves variables from Javascript.
$Surname = $_POST["Surname"];
$Forename = $_POST["Forename"];
$Username = $_POST["Username"];
$Joined = $_POST["Joined"];
$Rank = $_POST["Rank"];
$ANDOR = $_POST["ANDOR"];
$data = 0;
include "db/openlogindb.php";
if($DBError == true){
$data = 3;
}
else{
if($ANDOR == "AND"){
$UserSearch = "SELECT username, surname, forename, joined, rank FROM users
WHERE surname LIKE '%".$Surname."%'
AND forename LIKE '%".$Forename."%'
AND username LIKE '%".$Username."%'
AND joined LIKE '%".$Joined."%'
AND rank LIKE '%".$Rank."%'
ORDER BY surname";
}
else if($ANDOR == "OR"){
$UserSearch = "SELECT username, surname, forename, joined, rank FROM users
WHERE surname LIKE '%".$Surname."%'
OR forename LIKE '%".$Forename."%'
OR username LIKE '%".$Username."%'
OR joined LIKE '%".$Joined."%'
OR rank LIKE '%".$Rank."%'
ORDER BY surname";
}
else{
$data = 2;
}
if($data == 0){
$results = mysqli_query($conn, $UserSearch);
if(mysqli_num_rows($results) == 0){
$data = 1;
}
else{
$data = '';
while($row = mysqli_fetch_assoc($results)){
$data .= '<tr><td>'.$row['surname'].'</td><td>'.$row['forename'].'</td><td>'.$row['username'].'</td><td>'.$row['joined'].'</td><td>'.$row['rank'].'</td><td><button type="button" class="btn btn-block btn-primary btn-xs" onClick="ChangePassOpen(\''.$row['username'].'\')">Change Password</button></td></tr>';
}
}
}
}
include "db/closelogindb.php";
echo $data;
?>
HTML / Javascript http://thomas-smyth.co.uk/admin/accountlist.php
答案 0 :(得分:2)
<?php
// Create the array to store the variables
$array = array();
//Retrieves variables from Javascript.
//Where $conn is your database connection
if (isset($_POST["Surname"])) $array['surname'] = mysqli_real_escape_string($conn, $_POST["Surname"]);
if (isset($_POST["Forename"])) $array['forename'] = mysqli_real_escape_string($conn, $_POST["Forename"]);
if (isset($_POST["Username"])) $array['username'] = mysqli_real_escape_string($conn, $_POST["Username"]);
if (isset($_POST["Joined"])) $array['joined'] = mysqli_real_escape_string($conn, $_POST["Joined"]);
if (isset($_POST["Rank"])) $array['rank'] = mysqli_real_escape_string($conn, $_POST["Rank"]);
if (isset($_POST["ANDOR"])) $ANDOR = mysqli_real_escape_string($conn, $_POST["ANDOR"]);
$data = 0;
include "db/openlogindb.php";
if($DBError == true){
$data = 3;
}
else{
//Make a variable to check for the last key in the array
$last_key = end(array_keys($array));
if($ANDOR == 'AND'){
$UserSearch = "SELECT ";
foreach ($array as $key => $value)
{
$UserSearch .= $key;
if ($last_key != $key) $UserSearch .= ', ';
}
$UserSearch .= ' FROM users WHERE ';
foreach ($array as $key => $value)
{
$UserSearch .= $key . ' LIKE %"' . $value . '"%';
if ($last_key != $key) $UserSearch .= ' AND ';
}
}
else if($ANDOR == 'OR'){
$UserSearch = "SELECT ";
foreach ($array as $key => $value)
{
$UserSearch .= $key;
if ($last_key != $key) $UserSearch .= ', ';
}
$UserSearch .= ' FROM users WHERE ';
foreach ($array as $key => $value)
{
$UserSearch .= $key . ' LIKE %"' . $value . '"%';
if ($last_key != $key) $UserSearch .= ' OR ';
}
}
else{
$data = 2;
}
if($data == 0){
$results = mysqli_query($conn, $UserSearch);
if(mysqli_num_rows($results) == 0){
$data = 1;
}
else{
$data = '';
while($row = mysqli_fetch_assoc($results)){
$data .= '<tr><td>'.$row['surname'].'</td><td>'.$row['forename'].'</td><td>'.$row['username'].'</td><td>'.$row['joined'].'</td><td>'.$row['rank'].'</td><td><button type="button" class="btn btn-block btn-primary btn-xs" onClick="ChangePassOpen(\''.$row['username'].'\')">Change Password</button></td></tr>';
}
}
}
}
include "db/closelogindb.php";
echo $data;
?>
答案 1 :(得分:0)
这可能远非完美,但确实有效。我打算在读完它后立即添加SQL注入保护。
<?php
//Retrieves variables from Javascript.
$Surname = $_POST["Surname"];
$Forename = $_POST["Forename"];
$Username = $_POST["Username"];
$Joined = $_POST["Joined"];
$Rank = $_POST["Rank"];
$ANDOR = $_POST["ANDOR"];
if($Surname == ""){
$Surname = "xxxxxxxxxx";
}
if($Forename == ""){
$Forename = "xxxxxxxxxx";
}
if($Username == ""){
$Username = "xxxxxxxxxx";
}
if($Joined == ""){
$Joined = "xxxxxxxxxx";
}
if($Rank == ""){
$Rank = "xxxxxxxxxx";
}
$data = 0;
include "db/openlogindb.php";
if($DBError == true){
$data = 3;
}
else{
if($ANDOR == "AND"){
$UserSearch = "SELECT username, surname, forename, joined, rank FROM users
WHERE surname LIKE '%".$Surname."%'
AND forename LIKE '%".$Forename."%'
AND username LIKE '%".$Username."%'
AND joined LIKE '%".$Joined."%'
AND rank LIKE '%".$Rank."%'
ORDER BY surname";
}
else if($ANDOR == "OR"){
$UserSearch = "SELECT username, surname, forename, joined, rank FROM users
WHERE surname LIKE '%".$Surname."%'
OR forename LIKE '%".$Forename."%'
OR username LIKE '%".$Username."%'
OR joined LIKE '%".$Joined."%'
OR rank LIKE '%".$Rank."%'
ORDER BY surname";
}
else{
$data = 2;
}
if($data == 0){
$results = mysqli_query($conn, $UserSearch);
if(mysqli_num_rows($results) == 0){
$data = 1;
}
else{
$data = '';
while($row = mysqli_fetch_assoc($results)){
$data .= '<tr><td>'.$row['surname'].'</td><td>'.$row['forename'].'</td><td>'.$row['username'].'</td><td>'.$row['joined'].'</td><td>'.$row['rank'].'</td><td><button type="button" class="btn btn-block btn-primary btn-xs" onClick="ChangePassOpen(\''.$row['username'].'\')">Change Password</button></td></tr>';
}
}
}
}
include "db/closelogindb.php";
echo $data;
?>