$data = mysql_query("SELECT * FROM Plants WHERE PlantType='$plantType' AND EnglishName='$englishName'")
但我怎么能这样做,所以如果用户没有输入英文名称进行搜索,它只能按工厂类型搜索?注意:我会搜索很多字段,例如花的颜色,土壤类型等,我只想搜索用户选择更改的字段。
答案 0 :(得分:2)
在运行查询之前构建查询字符串:
$fields = array();
if ($plantType != "") {
$fields["PlantType"] = $plantType;
}
if ($englishName != "") {
$fields["EnglishName"] = $englishName;
}
if (count($fields) < 1) {
echo "No fields submitted";
} else {
$query = "SELECT * FROM Plants WHERE ";
foreach($fields as $field => $value) {
$query .= $field." = '".$value."' AND ";
}
$query = substr($query,0,-4);
$data = mysql_query($query);
}
答案 1 :(得分:1)
$query = "SELECT * FROM Plants WHERE PlantType='$plantType'";
if(isset($_POST['englishName'])) $query .= " AND EnglishName='$englishName'";
if(isset($_POST['someForm'])) $query .= " AND someForm='$otherForm'";
if(isset($_POST['otherForm'])) $query .= " AND otherForm='$otherForm'";
$data = mysql_query($query);
您也可以准备整个语句,如果变量为空,请使用通配符(%)。
if(isset($_POST['something']) {
$something = mysql_real_escape_string($_POST['something'];)
}else{
$something = '%';
}
显然,您需要检查POST变量以查找错误数据,否则您将自行打开SQL注入攻击。此外,使用PDO准备语句更容易做到这些。我会在PDO @ PHP.net
上阅读答案 2 :(得分:0)
保存用户想要满意的所有条件,并将array和implode保存到查询字符串中:
$conditions = array();
if (isset($_POST['plantType']) && is_string($_POST['plantType']))
$conditions[] = "PlantType = '".mysql_real_escape_string($_POST['plantType'])."'";
if (isset($_POST['englishName']) && is_string($_POST['englishName']))
$conditions[] = "EnglishName = '".mysql_real_escape_string($_POST['englishName'])."'";
// repeat for color, soilType, ...
$query = "SELECT * FROM Plants";
if (count($conditions) > 0)
$query .= " WHERE ".implode(" AND ", $conditions);
$data = mysql_query($query);
执行相同操作的较短版本:
$conditions = array();
$validColumns = array(
// Name of the column in DB => name of the parameter in URL
"PlantType" => "plantType",
"EnglishName" => "englishName",
"Color" => "color",
// add more here
);
// Loop through all valid columns the user might input.
foreach ($validColumns as $column => $param)
{
// If it is set and maybe if it is valid (add validation here).
// add this condition to our array
if (isset($_POST[$param]) && is_string($_POST[$param]) && !empty($_POST[$param]))
$conditions[] = "`$column` = '" .
// Don't forget to escape to prevent SQL-Injection.
mysql_real_escape_string($_POST[$param])."'";
}
$query = "SELECT * FROM Plants";
// Check if there are any conditions. Otherwise display all plants.
if (count($conditions) > 0)
$query .= " WHERE ".implode(" AND ", $conditions);
$data = mysql_query($query);
答案 3 :(得分:0)
根据用户输入,您可以构建查询。
$query_string = "SELECT * FROM Plants WHERE PlantType='$plantType'";
if(!empty($_POST["engName"]))
$query_string .= "AND EnglishName=".$_POST['engName'];
当然要清理$ _POST [“engName”] !!
答案 4 :(得分:0)
有很多先进的技术可以在MySQL中处理这个问题。比如在任何Where子句或甚至合并之后的OR语句。
话虽如此,我会动态构建你的WHERE子句(PS不是为了获得安全性!)
<?php
$sql = "SELECT * FROM Plants WHERE";
$where = array();
if(!empty($_GET['plantType'])){
'PlantType=' . mysql_real_escape_string($_GET['plantType']);
}
if(!empty($_GET['EnglishName'])) {
'EnglishName=' . mysql_real_escape_string($_GET['EnglishName']);
}
if(!empty($_GET['color'])) {
'color=' . mysql_real_escape_string($_GET['color']);
}
if(!empty($_GET['soilType'])) {
'soilType=' . mysql_real_escape_string($_GET['soilType']);
};
foreach($where as $key => $value) {
$sql = $sql . ' ' . $value;
if($key+1 < count($where)) {
$sql = $sql . ' AND'
}
}
$data = mysql_query($sql);
?>