“大于”和“小于”运算符不在查询中工作

时间:2018-06-14 10:02:38

标签: php mysqli

“Equal”和“Not equal”运算符在我的搜索查询中运行良好。 但是,“大于”和“小于”运算符不起作用。

例如,当我输入“SELECT * FROM expressForm WHERE efPostage!= 460”时,我可以得到 https://imgur.com/7KleuwX.png,效果很好。

然而,当我输入“SELECT * FROM expressForm WHERE efPostage< = 460”时,我得到“No result”。这很奇怪,因为有一些efPostage值小于460。

PHP代码

$mysqli = mysqli_connect("localhost",  "XXX",  "XXX", "express")
  or die("Error connecting to database: ".mysqli_error($mysqli));

$sql = trim(preg_replace('/\s\s+/', ' ', $sQuery));
$sql = htmlspecialchars($sql);
$sql = mysqli_real_escape_string($mysqli, $sql);
$sql = stripslashes($sql);

$sQueryResults = $mysqli->query($sql);

if(mysqli_num_rows($sQueryResults) > 0) {
     if (strpos($sql, 'FROM `expressForm`') !== false) {
        echo "<h3 class = \"entity\"> expressForm </h3>";
        echo '<table class=\"table table-striped table-bordered table-hover\">';
        echo "<tr><th>efSerialNo</th><th>signedStID</th><th>efOfficeCode</th><th>efDateMailed</th><th>efPostage</th></tr>";
        while($row = mysqli_fetch_array($sQueryResults)) {
            echo "B";
            echo "<tr><td>";
            echo $row['efSerialNo'];
            echo "</td><td>";
            echo $row['signedStID'];
            echo "</td><td>";
            echo $row['efOfficeCode'];
            echo "</td><td>";
            echo $row['efDateMailed'];
            echo "</td><td>";
            echo $row['efPostage'];                                
            echo "</td></tr>";
        }
        echo "</table>";
    }
else {
    echo "No results<br>";
}

$mysqli->close();

1 个答案:

答案 0 :(得分:1)

您通过将htmlspecialchars()等内容应用于整个事情来破坏您的查询!这会导致<=之类的内容变为&lt;=

您应该只担心转义您在查询中使用的变量,而不是整个查询。

$query = "SELECT * FROM table WHERE column = '" 
         . mysqli_real_escape_string ($mysqli, $parameter)
         . "'";

更好的是,您应该使用prepared statements来处理查询中的参数。这将导致数据库引擎为您处理转义,其额外的好处是它使SQL注入攻击变得更加困难。

$stmt = $mysqli->prepare ("SELECT * FROM table WHERE column = ?");
$stmt->bind_param ("i", $value); // "i" indicates that this is expected to be an integer.  See documentation for binding other types
$stmt->execute();
$stmt->bind_result($result);
$stmt->fetch();
var_dump ($result);

设置起来有点偏僻,但好处远远超过它。