添加搜索字段

时间:2011-04-23 14:55:37

标签: php search 

<form method="post" action="oabtest.php?go" id="searchform">
    <input type="text" name="name">
    <input type="submit" name="submit" value="Search">
</form>
<p><a href="?by=A">A</a> | <a href="?by=B">B</a> | <a href="?by=C">C</a> |<a href="?by=D">D</a> |<a href="?by=E">E</a> |<a href="?by=F">F</a> |<a href="?by=G">G</a> |<a href="?by=H">H</a> |<a href="?by=I">I</a> |<a href="?by=J">J</a> |<a href="?by=K">K</a> |<a href="?by=L">L</a> |<a href="?by=M">M</a> |<a href="?by=N">N</a> |<a href="?by=O">O</a> |<a href="?by=P">P</a> |<a href="?by=Q">Q</a> |<a href="?by=R">R</a> |<a href="?by=S">S</a> |<a href="?by=T">T</a> |<a href="?by=U">U</a> |<a href="?by=V">V</a> |<a href="?by=W">W</a> |<a href="?by=X">X</a> |<a href="?by=Y">Y</a> |<a href="?by=Z">Z</a> </p>

<p>You may also search by Patrol.</p>
<form method="post" action="oabtest.php?go" id="searchform">
    <input type="text" name="patrol">
    <input type="submit" name="submit" value="Search">
</form>
<?php
//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect("localhost", "*****", "*****");
if (!$link) {
    die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db("troop97_***");
if (!$db) {
    die("Unable to select database");
}

if (isset($_POST['submit'])) {
    if (isset($_GET['go'])) {
        if (preg_match("/[A-Z | a-z]+/", $_POST['name'])) {
            $name = $_POST['name'];


//-query the database table
            $sql = "SELECT ID, First_Name, Last_Name FROM contact WHERE First_Name LIKE '" . mysql_real_escape_string($name) . "%' OR Last_Name LIKE '" . mysql_real_escape_string($name) . "%'";
//-run the query against the mysql query function
            $result = mysql_query($sql);

//-count results

            $numrows = mysql_num_rows($result);

            echo "<p>" . $numrows . " results found for " . stripslashes($name) . "</p>";

//-create while loop and loop through result set
            while ($row = mysql_fetch_array($result)) {

                $First_Name = $row['First_Name'];
                $Last_Name = $row['Last_Name'];
                $ID = $row['ID'];

//-display the result of the array

                echo "<ul>\n";
                echo "<li>" . "<a href=\"oabtest.php?id=$ID\">" . $First_Name . " " . $Last_Name . "</a></li>\n";
                echo "</ul>";
            }
        } else {
            echo "<p>Please enter a search query</p>";
        }
    }
}

if (isset($_GET['by'])) {
    $letter = $_GET['by'];

//-query the database table
    $letter = mysql_real_escape_string($letter);
    $sql = "SELECT ID, First_Name, Last_Name FROM contact WHERE First_Name LIKE '" . $letter . "%' 
OR Last_Name LIKE '" . $letter . "%'";

//-run the query against the mysql query function
    $result = mysql_query($sql);

//-count results
    $numrows = mysql_num_rows($result);

    echo "<p>" . $numrows . " results found for " . $letter . "</p>";

//-create while loop and loop through result set
    while ($row = mysql_fetch_array($result)) {

        $First_Name = $row['First_Name'];
        $Last_Name = $row['Last_Name'];
        $ID = $row['ID'];

//-display the result of the array

        echo "<ul>\n";
        echo "<li>" . "<a href=\"oabtest.php?id=$ID\">" . $First_Name . " " . $Last_Name . "</a></li>\n";
        echo "</ul>";
    }
}

if (isset($_POST['submit'])) {
    if (isset($_GET['go'])) {
        if (preg_match("/[A-Z | a-z]+/", $_POST['patrol'])) {

            $patrol = $_POST['patrol'];



//-query the database table
            $patrol = mysql_real_escape_string($patrol);
            $sql = "SELECT ID, First_Name, Last_Name FROM contact WHERE Patrol LIKE '" . mysql_real_escape_string($patrol) . "%'";

//-run the query against the mysql query function
            $result = mysql_query($sql);

//-count results
            $numrows = mysql_num_rows($result);

            echo "<p>" . $numrows . " results found for " . $patrol . "</p>";

//-create while loop and loop through result set
            while ($row = mysql_fetch_array($result)) {

                $First_Name = $row['First_Name'];
                $Last_Name = $row['Last_Name'];
                $ID = $row['ID'];

//-display the result of the array

                echo "<ul>\n";
                echo "<li>" . "<a href=\"oabtest.php?id=$ID\">" . $First_Name . " " . $Last_Name . "</a></li>\n";
                echo "</ul>";
            }
        }

        if (isset($_GET['id'])) {
            $contactid = $_GET['id'];

//-query the database table
            $sql = "SELECT * FROM contact WHERE ID=" . $contactid;


//-run the query against the mysql query function
            $result = mysql_query($sql);

//-create while loop and loop through result set
            while ($row = mysql_fetch_array($result)) {

                $First_Name = $row['First_Name'];
                $Last_Name = $row['Last_Name'];
                $Home_Phone = $row['Home_Phone'];
                $Cell_Phone = $row['Cell_Phone'];
                $Work_Phone = $row['Work_Phone'];
                $Email = $row['Email'];
                $Home_Street = $row['Home_Street'];
                $Home_City = $row['Home_City'];
                $Home_State = $row['Home_State'];
                $Home_Zip = $row['Home_Zip'];
                $Troop_Role = $row['Troop_Role'];
                $Patrol = $row['Patrol'];

//-display the result of the array

                echo "<ul>\n";
                echo "<li>" . $First_Name . " " . $Last_Name . "</li>\n";
                echo (empty($Home_Phone)) ? '' : "<li>" . $Home_Phone . " Home</li>\n";
                echo (empty($Cell_Phone)) ? '' : "<li>" . $Cell_Phone . " Cell</li>\n";
                echo (empty($Work_Phone)) ? '' : "<li>" . $Work_Phone . " Work</li>\n";
                echo "<li>" . "<a href=mailto:" . $Email . ">" . $Email . "</a></li>\n";
                echo "<li>" . $Home_Street . "</li>\n";
                echo "<li>" . $Home_City . ", " . $Home_State . " " . $Home_Zip . "</li>\n";
                echo "<li>" . $Troop_Role . "</li>\n";
                echo "<li>" . $Patrol . "</li>\n";
                echo "</ul>";
            }
        }
    }
}

2 个答案:

答案 0 :(得分:1)

SQL注入风险

如果您在与数据库交互时使用过提交表单中的值,则应在执行此操作之前转义内容。在MySQL中,执行此操作的最佳功能是mysql_real_escape_string() PHP Manual 

$sql="SELECT ID, First_Name, Last_Name FROM contact WHERE First_Name LIKE '" . mysql_real_escape_string( $name ) . "%' OR Last_Name LIKE '" . mysql_real_escape_string( $name ) ."%'";

添加要搜索的字段

如果您想在搜索查询中添加其他字段(如“部门”),则只需在搜索表单上添加与其对应的字段,然后调整SQL搜索以将其包含在{{1子句:

WHERE

使用一个字段进行两次搜索

如果您想使用单个文本字段执行上述搜索,则需要为用户决定某种前缀,以便为第二个字段的值添加前缀。

例如,如果我们指定“ in:”作为指定部门的前缀,那么搜索“ John in:Radiology ”会查找任何人第一个或最后一个名称以“ John ”开头,但只有“ Radiology ”部门名称。

$sql="SELECT ID, First_Name, Last_Name
      FROM contact
      WHERE ( First_Name LIKE '" . mysql_real_escape_string( $name ) . "%'
              OR Last_Name LIKE '" . mysql_real_escape_string( $name ) ."%' )
            AND Department='" . mysql_real_escape_string( $department ) ."'";

而不是

list( $name , $department ) = explode( ' in:' , $_POST['name'] , 2 );

LIKE搜索限制

目前,您的代码只会搜索以输入值开头的名字和/或姓氏。您可以通过在搜索字符串的开头添加另一个“%”来使搜索返回仅包含(不仅仅是开头)输入值的字段:

$name = $_POST['name'];

全文搜索

您可能需要查看本教程 - Using MySQL Full-text Searching。它涵盖了全文搜索的概念,允许您在多个数据库字段中查找通过单个字段提交的一个或多个单词。

限制返回行

总是一个好主意,限制您为搜索返回的行数,无论您是分页还是只显示X行。如果不这样做,恶意用户就可以通过简单搜索字母表中的每个字母来刮取整个数据库。

答案 1 :(得分:0)

添加您的假设字段search_field,然后使用"SELECT * FROM contact WHERE search_field='search value' order by First_Name"进行搜索,如果它将是一个像电子邮件这样的唯一字段,请不要忘记在search_field上编制索引。我希望你上面粘贴的代码不会投入生产。在SQL查询中使用它们之前,不要相信用户输入并正确过滤它们,不用说将数据库凭据和连接字符串存储在单独的文件中并包含它。

相关问题
最新问题