function showSearchResults()
{
$keyword = $_POST['keyword'];
$q = "SELECT * FROM user_info INNER JOIN project ON user_info.user_id = project.user_id
LEFT JOIN bedsize ON project.bedsize_fk = bedsize.bedsize_id
LEFT JOIN topics_of_improv ON project.p_id = topics_of_improv.p_id
LEFT JOIN medication ON topics_of_improv.medication_fk = medication.med_id
LEFT JOIN care_trans ON topics_of_improv.care_trans_fk = care_trans.care_trans_id
LEFT JOIN hosp_acquired_infect ON topics_of_improv.hosp_acquired_infect_fk = hosp_acquired_infect.hai_id
LEFT JOIN hosp_patient_care_pro ON topics_of_improv.hosp_patient_care_pro_fk = hosp_patient_care_pro.hpcp_id
LEFT JOIN health_it ON topics_of_improv.health_it_fk = health_it.health_it_id
LEFT JOIN teamwork ON topics_of_improv.teamwork_fk = teamwork.teamwork_id
LEFT JOIN project_diss ON topics_of_improv.project_diss_fk = project_diss.project_diss_id
LEFT JOIN resources ON topics_of_improv.resources_fk = resources.resources_id LEFT JOIN summary ON project.p_id = summary.p_id
LEFT JOIN process ON summary.process_fk = process.process_id
WHERE (project.description LIKE '%" . $keyword . "%'
OR summary.improvement LIKE '%" . $keyword . "%'
OR summary.interventions LIKE '%" . $keyword . "%'
OR summary.brief LIKE '%" . $keyword . "%'
OR summary.lessons LIKE '%" . $keyword . "%'
OR summary.actions LIKE '%" . $keyword . "%'
OR summary.measures LIKE '%" . $keyword . "%'
OR summary.clinical LIKE '%" . $keyword . "%')
ORDER BY project.p_id DESC";
@$type = $_POST['type'];
@$state = $_POST['state'];
@$bedsize = $_POST['bedsize'];
@$care_trans = $_POST['care_trans'];
@$health_it = $_POST['health_it'];
@$hai = $_POST['hai'];
@$hpcp = $_POST['hpcp'];
@$medication = $_POST['medication'];
@$process = $_POST['process'];
@$project_diss = $_POST['pro_diss'];
@$resources = $_POST['resources'];
@$teamwork = $_POST['teamwork'];
$uid = $_SESSION['userid'];
if ($_SESSION['level'] == '0')
//$q .= "AND project.approved = 'yes' ";
//if($uid)
//$q .= "AND project.user_id = '".$uid."' ";
if($uid)
$q .= "AND project.user_id = '".$uid."' OR project.approved = 'yes'";
if($type)
$q .= " AND project.type = '".$type."' ";
if($state)
$q .= " AND project.p_state = '".$state."' ";
if($bedsize)
$q .= " AND bedsize.bedsize_id = '".$bedsize."' ";
if($care_trans)
$q .= " AND care_trans.care_trans_id = '".$care_trans."' ";
if($health_it)
$q .= " AND health_it.health_it_id = '".$health_it."' ";
if($hai)
$q .= " AND hosp_acquired_infect.hai_id = '".$hai."' ";
if($hpcp)
$q .= " AND hosp_patient_care_pro.hpcp_id = '".$hpcp."' ";
if($medication)
$q .= " AND medication.med_id = '".$medication."' ";
if($process)
$q .= " AND project.p_state = '".$process."' ";
if($project_diss)
$q .= " AND project_diss.project_diss_id = '".$project_diss."' ";
if($resources)
$q .= " AND resources.resources_id = '".$resources."' ";
if($teamwork)
$q .= " AND teamwork.teamwork_id = '".$teamwork."' ";
$result = mysql_query($q) or die(mysql_error());
if(mysql_num_rows($result)==0){
echo "<tr>";
echo "<td>No records matched your search criteria</td>";
echo "<td></td>";
echo "<td><a href='advanced_search.php'>Please click here to try again</a></td>";
echo "<td></td>";
echo "<td></td>";
echo "<td></td>";
echo "</tr>";
}
while($row = mysql_fetch_array($result)){
$p_id = $row["p_id"];
$uid = $row["user_id"];
$firstname = $row["firstname"];
$lastname = $row["lastname"];
$title = $row["title"];
$description = $row["description"];
$p_hospital = $row["p_hospital"];
$approved = $row["approved"];
if($_GET['order'] == "submitter"){
echo "<tr>";
echo "<td>$firstname $lastname</td>";
echo "<td>$p_hospital</td>";
echo "<td>$description</td>";
echo "<td>";
echo ($approved == "Yes") ? "<img src='imgs/check.png' />" : "<img src='imgs/pending.png' />" ;
echo "</td>";
echo "<td>$title</td>";
echo "<td><a href='details.php?p_id=$p_id'>View</a><br /></td>";
echo "</tr>";
}else if($_GET['order'] == "hospital"){
echo "<tr>";
echo "<td>$p_hospital</td>";
echo "<td>$description</td>";
echo "<td>";
echo ($approved == "Yes") ? "<img src='imgs/check.png' />" : "<img src='imgs/pending.png' />" ;
echo "</td>";
echo "<td>$title</td>";
echo "<td>$firstname $lastname</td>";
echo "<td><a href='details.php?p_id=$p_id'>View</a><br /></td>";
echo "</tr>";
}else if($_GET['order'] == "keywords"){
echo "<tr>";
echo "<td>$description</td>";
echo "<td>";
echo ($approved == "Yes") ? "<img src='imgs/check.png' />" : "<img src='imgs/pending.png' />" ;
echo "</td>";
echo "<td>$title</td>";
echo "<td>$firstname $lastname</td>";
echo "<td>$p_hospital</td>";
echo "<td><a href='details.php?p_id=$p_id'>View</a><br /></td>";
echo "</tr>";
}else if($_GET['order'] == "status"){
echo "<tr>";
echo "<td>";
echo ($approved == "Yes") ? "<img src='imgs/check.png' />" : "<img src='imgs/pending.png' />" ;
echo "</td>";
echo "<td>$title</td>";
echo "<td>$firstname $lastname</td>";
echo "<td>$p_hospital</td>";
echo "<td>$description</td>";
echo "<td><a href='details.php?p_id=$p_id'>View</a><br /></td>";
echo "</tr>";
}else{
echo "<tr>";
echo "<td>$title</td>";
echo "<td>$firstname $lastname</td>";
echo "<td>$p_hospital</td>";
echo "<td>$description</td>";
echo "<td>";
echo ($approved == "Yes") ? "<img src='imgs/check.png' />" : "<img src='imgs/pending.png' />" ;
echo "</td>";
echo "<td><a href='details.php?p_id=$p_id'>View</a><br /></td>";
echo "</tr>";
}
}
}
}
答案 0 :(得分:4)
首先,您的代码看起来像SQL injection attack等待发生。如果必须像这样手工构建SQL查询,至少在输入变量上使用mysql_real_escape_string()
。
完成后,请从查询的初始部分中取出ORDER BY project.p_id DESC
,然后添加
$q .= " ORDER BY project.p_id DESC ";
在行
之前$result = mysql_query($q) or die(mysql_error());
这样,ORDER BY
子句将位于查询的末尾,它属于它。
答案 1 :(得分:1)
您的代码会在变量y中向查询添加其他WHERE
子句。如果q以WHERE
子句结束,则此方法有效,但如果q以ORDER BY
结尾,则此方法无效。您要做的是确保ORDER BY
在所有WHERE
条款之后。
答案 2 :(得分:0)
ORDER BY 关键字用于对结果集进行排序。 project.p_id DESC 不是结果集的一部分。 它必须是
SELECT user_info.column_name,....,project.p_id FROM user_info ........