“Equal”和“Not equal”运算符在我的搜索查询中运行良好。 但是,“大于”和“小于”运算符不起作用。
例如,当我输入“SELECT * FROM expressForm
WHERE efPostage
!= 460”时,我可以得到
https://imgur.com/7KleuwX.png,效果很好。
然而,当我输入“SELECT * FROM expressForm
WHERE efPostage
< = 460”时,我得到“No result”。这很奇怪,因为有一些efPostage值小于460。
$mysqli = mysqli_connect("localhost", "XXX", "XXX", "express")
or die("Error connecting to database: ".mysqli_error($mysqli));
$sql = trim(preg_replace('/\s\s+/', ' ', $sQuery));
$sql = htmlspecialchars($sql);
$sql = mysqli_real_escape_string($mysqli, $sql);
$sql = stripslashes($sql);
$sQueryResults = $mysqli->query($sql);
if(mysqli_num_rows($sQueryResults) > 0) {
if (strpos($sql, 'FROM `expressForm`') !== false) {
echo "<h3 class = \"entity\"> expressForm </h3>";
echo '<table class=\"table table-striped table-bordered table-hover\">';
echo "<tr><th>efSerialNo</th><th>signedStID</th><th>efOfficeCode</th><th>efDateMailed</th><th>efPostage</th></tr>";
while($row = mysqli_fetch_array($sQueryResults)) {
echo "B";
echo "<tr><td>";
echo $row['efSerialNo'];
echo "</td><td>";
echo $row['signedStID'];
echo "</td><td>";
echo $row['efOfficeCode'];
echo "</td><td>";
echo $row['efDateMailed'];
echo "</td><td>";
echo $row['efPostage'];
echo "</td></tr>";
}
echo "</table>";
}
else {
echo "No results<br>";
}
$mysqli->close();
答案 0 :(得分:1)
您通过将htmlspecialchars()等内容应用于整个事情来破坏您的查询!这会导致<=
之类的内容变为<=
您应该只担心转义您在查询中使用的变量,而不是整个查询。
$query = "SELECT * FROM table WHERE column = '"
. mysqli_real_escape_string ($mysqli, $parameter)
. "'";
更好的是,您应该使用prepared statements来处理查询中的参数。这将导致数据库引擎为您处理转义,其额外的好处是它使SQL注入攻击变得更加困难。
$stmt = $mysqli->prepare ("SELECT * FROM table WHERE column = ?");
$stmt->bind_param ("i", $value); // "i" indicates that this is expected to be an integer. See documentation for binding other types
$stmt->execute();
$stmt->bind_result($result);
$stmt->fetch();
var_dump ($result);
设置起来有点偏僻,但好处远远超过它。