根据Checkbox值过滤结果

时间:2017-06-13 17:11:43

标签: php filter sql-injection dynamic-sql form-parameter

这是我的PHP代码

// category filter
    if(!isset($_POST['products']) || $_POST['products'] == ""){
        $category_filter = "";
    } else {
        $category_filter = " AND cat_id='".$_POST['products']."'";
    }

// offers filter
    if($_POST['offer'] != "YES")
    {
        $offer_filter = "";
    } else {
        $offer_filter = " AND offer=1"; 
    }

    $sql = $db->get_rows("
        SELECT *, ( 3959 * ACOS( COS( RADIANS(".$_POST['lat'].") ) * COS( RADIANS( latitude ) ) * COS( RADIANS( longitude ) - RADIANS(".$_POST['lng'].") ) + SIN( RADIANS(".$_POST['lat'].") ) * SIN( RADIANS( latitude ) ) ) ) AS distance 
        FROM stores 
    WHERE status=1 AND approved=1 ".$offer_filter." ".$category_filter." 
    HAVING distance <= ".$_POST['distance']." 
    ORDER BY distance ASC 
    LIMIT 0,60");

我希望在我的SQL查询中获得$offer_filter的正确值,就像$category_filter一样。 我想我错过了某个地方的东西.​​.....如果有人可以帮我这个......

以下是我的HTML代码在php索引文件中的复选框输入...

<input type="checkbox" name="offer" value="Yes" onChange="cachesearch = '';$('#clinic-finder-form').submit();"> Discount Offers Available

0 个答案:

没有答案