通过多个用户选择过滤数据库中的数据

时间:2019-05-25 19:00:59

标签: php mysql sql

当前,我正在开发一个搜索表单,因此我的SQL查询需要随用户输入而更改。请参见下面的代码示例。

$sqlSearch = "SELECT * FROM seafarers WHERE  ";

if ($dateS != "") {
    $sqlSearch .= "add_date = '" . changeDateSlashToHypen($dateS) . "' and ";
}
if ($cdcS != "") {
    $sqlSearch .= "cdc = '" . $cdcS . "'  and ";
}
if ($ppS != "") {
    $sqlSearch .= "passport LIKE  '%$ppS%'  and ";
} 
if ($surnameS != "") {
    $sqlSearch .= "surname LIKE '" . $surnameS . "%'  and ";

为了执行该语句,用户必须选择所有选项;如果用户选择一个或两个选项,则该语句将不起作用。

2 个答案:

答案 0 :(得分:2)

不要像这样将您的查询拼凑在一起。使用准备好的语句。示例:

SELECT * 
FROM seafarers 
WHERE (:dt is null or add_date = :dt)
and (:cdc is null or cdc = :cdc)

在执行之前,您必须填写查询的参数。

答案 1 :(得分:1)

首先使用占位符,例如1=1,该占位符始终为true,然后使用AND作为前缀而不是后缀。

$sqlSearch = "SELECT * FROM seafarers WHERE 1=1 ";

if ($dateS != "") {
    $sqlSearch .= " AND add_date = '" . changeDateSlashToHypen($dateS) . "'";
}
...

但是,正如其他答案中指出的那样,您需要使用准备好的语句。因此,假设您使用的是mysqli,那么每个人似乎都出于某种原因而这样做:

$sqlSearch = "SELECT * FROM seafarers WHERE 1=1 ";

$types = "";
$parameters = [];

if ($dateS != "") {
    $sqlSearch .= " AND add_date = ?";
    $types .= "s";
    $parameters[] = changeDateSlashToHypen($dateS);
}
if ($cdcS != "") {
    $sqlSearch .= " AND cdc = ?";
    $types .= "s";
    $parameters[] = $cdcS;
}
if ($ppS != "") {
    $sqlSearch .= " AND passport LIKE  ?";
    $types .= "s";
    $parameters[] = "%$ppS%";
} 
if ($surnameS != "") {
    $sqlSearch .= " AND surname LIKE ?";
    $types .= "s";
    $parameters[] = "$surnameS%";
}

$stmt = $db->prepare($sqlSearch);
if (count($parameters) {
    $stmt->bind_param($types, ...$parameters);
}
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    ...
}
相关问题
最新问题