使用php在mysql中进行简单搜索

时间:2011-01-16 19:15:17

标签: php mysql

我有这个代码用于在mysql中搜索,但它没有运行,我不知道为什么。

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <fieldset>
    <legend>search Employees</legend> 
     <form name="search" method="post" action= <?=$PHP_SELF?>>
     Αναζήτηση για: <input type="text" name="find" /> στο
     <Select NAME="field">
     <Option VALUE="fname">First Name</option>
     <Option VALUE="lname">Surname</option>
     <Option VALUE="phone">Phone</option>
     <Option VALUE="address">Address</option>
     </Select>
     <input type="hidden" name="searching" value="yes" />
     <input type="submit" name="search" value="Search" />
     </form>
     </fieldset>
    <? 
     //This is only displayed if they have submitted the form 
     if ($searching =="yes") 
     { 
     echo "<h2>Results</h2><p>"; 

     //If they did not enter a search term we give them an error 
     if ($find == "") 
     { 
     echo "<p>You forgot to enter a search term"; 
     exit; 
     } 

     // Otherwise we connect to our Database 
     mysql_connect("localhost", "root", "123") or die(mysql_error()); 
     mysql_select_db("ergasia2") or die(mysql_error()); 

     // We preform a bit of filtering 
     $find = strtoupper($find); 
     $find = strip_tags($find); 
     $find = trim ($find); 

     //Now we search for our search term, in the field the user specified 
     $data = mysql_query("SELECT * FROM EMPLOYEES WHERE upper($field) LIKE'%$find%'"); 

     //And we display the results 
     while($result = mysql_fetch_array( $data )) 
     { 
     echo $result['fname']; 
     echo " "; 
     echo $result['lname']; 
     echo "<br>"; 
     echo $result['info']; 
     echo "<br>"; 
     echo "<br>"; 
     } 

     //This counts the number or results - and if there wasn't any it gives them a little message explaining that 
     $anymatches=mysql_num_rows($data); 
     if ($anymatches == 0) 
     { 
     echo "Sorry, but we can not find an entry to match your query<br><br>"; 
     } 

     //And we remind them what they searched for 
     echo "<b>Searched For:</b> " .$find; 
     } 

 ?>

2 个答案:

答案 0 :(得分:2)

您的代码假定register_globals已打开(新安装的php默认为关闭)这应该关闭,因为这是一个安全风险。我建议阅读一个教程,用于创建一个显示安全性等的SQL搜索。

我没有写错,而是写了这篇教程,也许它会帮助你:Simple SQL Search

答案 1 :(得分:0)

很可能是因为您的查询错误。您不能对此列名称使用UPPER。此外,不确定您的字段名称是FIELD(完整大写)还是Field(仅限首字母大写)。不要忘记逃避你的意见!

试试这个:

$escaped_field = mysql_real_escape_string($field);
$field_name = strtoupper($escaped_field); // if you want FIELD
$field_name = ucfirst($escaped_field);    // if you want Field
$data = mysql_query("SELECT * FROM EMPLOYEES WHERE `$field_name` LIKE '%$find%'");

我可以补充说,如果你的表名/列名真的是大写的(例如:FIELD),你可能想要改变它。大写关键字通常是保留关键字,因此可能会令人困惑。

相关问题
最新问题