Question

我正在尝试添加选项，以使用下拉列表选择要对SELECT语句进行排序的内容。我以前工作的SELECT语句将从我的表中选择数据，并按点排序。现在我希望能够通过积分，目标或助攻等来订购。

这是我之前的工作声明：

$query = $db->prepare("SELECT player_stats.*, teams.*
                       FROM player_stats
                       LEFT JOIN teams ON player_stats.tid = teams.teamid
                       WHERE season = :season
                       ORDER BY points DESC
                       LIMIT 20");
$query->bindParam(':season', $season);
$query->execute();
$result = $query->fetchAll();

以前的工作表格：

<form action= "<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="get" id="search">
    <select name='statsYear' id='statsYear' class='dropDown' onchange='this.form.submit()'>
        <option <?php if (($_GET['statsYear'] == '20162017') || !isset($_GET['statsYear'])) { ?>selected="true" <?php }; ?>value="20162017">2016-2017</option>
        <option <?php if ($_GET['statsYear'] == '20152016') { ?>selected="true" <?php }; ?>value="20152016">2015-2016</option>
        <option <?php if ($_GET['statsYear'] == '20142015') { ?>selected="true" <?php }; ?>value="20142015">2014-2015</option>
        <option <?php if ($_GET['statsYear'] == '20132014') { ?>selected="true" <?php }; ?>value="20132014">2013-2014</option>
        <option <?php if ($_GET['statsYear'] == '20122013') { ?>selected="true" <?php }; ?>value="20122013">2012-2013</option>
    </select>
</form>

这是我的新SELECT版本，它提供了错误的输出。我将在稍后分享一个指向错误输出的链接：

    $query = $db->prepare("SELECT player_stats.*, teams.*
                           FROM player_stats
                           LEFT JOIN teams ON player_stats.tid = teams.teamid
                           WHERE season = :season
                           ORDER BY  :statstype DESC
                           LIMIT 20");
    $query->bindParam(':season', $season);
    $query->bindParam(':statstype', $statsType);
    $query->execute();
    $result = $query->fetchAll();
  echoTable($result);

上述查询无法识别新的$statsType变量。这是我需要帮助的地方。这是我的新表格和变量声明供参考：

if (isset($_GET['statsType'])) {
    $statsType = $_GET['statsType'];
} else {    
    $statsType = 'points' ;
}

<form action= "<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="get" id="search">
    <select name='statsYear' id='statsYear' class='dropDown' onchange='this.form.submit()'>
        <option <?php if (($_GET['statsYear'] == '20162017') || !isset($_GET['statsYear'])) { ?>selected="true" <?php }; ?>value="20162017">2016-2017</option>
        <option <?php if ($_GET['statsYear'] == '20152016') { ?>selected="true" <?php }; ?>value="20152016">2015-2016</option>
        <option <?php if ($_GET['statsYear'] == '20142015') { ?>selected="true" <?php }; ?>value="20142015">2014-2015</option>
        <option <?php if ($_GET['statsYear'] == '20132014') { ?>selected="true" <?php }; ?>value="20132014">2013-2014</option>
        <option <?php if ($_GET['statsYear'] == '20122013') { ?>selected="true" <?php }; ?>value="20122013">2012-2013</option>
    </select>
        <select  name="statsType" id="statsType" class="dropDown" onchange='this.form.submit()'>
        <option <?php if ($_GET['statsType'] == 'points'  || !isset($_GET['statsType'])) { ?>selected="true" <?php }; ?> value="points">Points</option>
        <option <?php if ($_GET['statsType'] == 'goals') { ?>selected="true" <?php }; ?> value="goals">Goals</option>
        <option <?php if ($_GET['statsType'] == 'assists') { ?>selected="true" <?php }; ?>value="assists">Assists</option>
        <option <?php if (($_GET['statsType'] == 'pim') ) { ?>selected="true" <?php }; ?>value="pim">PIM</option>
        <option <?php if ($_GET['statsType'] == 'pm') { ?>selected="true" <?php }; ?>value="pm">+/-</option>
        <option <?php if (($_GET['statsType'] == 'toi') ) { ?>selected="true" <?php }; ?>value="toi">TOI</option>
    </select>
</form>

如果我选择表单中的帮助，这就是查询的样子：
这是实际输出：
http://sjsharktank.com/leaders.php?statsYear=20162017&statsType=assists

Answer 1

你不能在列中使用param ..你应该使用（最终）字符串连接并以dinamically方式构建sql命令

但注意sql注入

$query = $db->prepare("SELECT player_stats.*, teams.*
                           FROM player_stats
                           LEFT JOIN teams ON player_stats.tid = teams.teamid
                           WHERE season = :season
                           ORDER BY  " . $statstype  . " DESC
                           LIMIT 20");

如果您可以使用双引号进行嵌套，则使用相同的

$query = $db->prepare('SELECT player_stats.*, teams.*
                           FROM player_stats
                           LEFT JOIN teams ON player_stats.tid = teams.teamid
                           WHERE season = :season
                           ORDER BY  ' . $statstype  . ' DESC
                           LIMIT 20');

您还可以使用双引号和PHP魔术行为进行变种

$query = $db->prepare("SELECT player_stats.*, teams.*
                           FROM player_stats
                           LEFT JOIN teams ON player_stats.tid = teams.teamid
                           WHERE season = :season
                           ORDER BY  $statstype   DESC
                           LIMIT 20");

SELECT语句PDO向ORDER BY子句

1 个答案: