对于所有关心的人来说,if not empty语句为我工作
我是SQL和PHP的新手,我试图实现一个搜索功能,从一个处理葡萄酒的MySQL数据库中抓取数据。
我已经想出如何做一个查询哪里有一个搜索变量,我已经想出如何做两个搜索变量,我相信我可以继续这种模式——但我想要做的是实现一个搜索功能,可以搜索基于用户输入的变量(这意味着,用户必须输入至少一个值,和搜索将抓住字段搜索相关变量)。
例如,我有这些搜索变量:
- 葡萄酒名称-(用户可以留空或输入一个值)
- 葡萄酒类型-(用户输入值)
- year -(用户可以留空或输入一个值)
根据用户输入的变量数量将决定搜索的精细程度。
我试着搜索论坛,但似乎找不到任何东西。如果我的格式或问题是错误的道歉。将感谢任何帮助或一个点在正确的方向,谢谢!
这是我的代码到目前为止,如果用户输入两个变量'wineName'和'wineryName'工作。我试过用isset来触发某种开关,但我觉得我做得不对。
<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html401/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Answer Page</title>
</head>
<body bgcolor="white">
<?php
function showerror() {
die("Error " . mysql_errno() . " : " . mysql_error());
}
require 'db.php';
// Show all wines in a region in a <table>
function displayWines($connection, $query, $wineName) {
// Run the query on the server
if (!($result = @ mysql_query ($query, $connection))) {
showerror();
}
// Find out how many rows are available
$rowsFound = @ mysql_num_rows($result);
// If the query has results ...
if ($rowsFound > 0) {
// ... print out a header
print "You searched for $wineName with a region of $wineryName <br><br>";
// and start a <table>.
print "'n<table>'n<tr>" .
"'n't<th>Wine ID</th>" .
"'n't<th>Wine Name</th>" .
"'n't<th>Winery Name</th>" .
"'n't<th>Year</th>'n</tr>";
// Fetch each of the query rows
while ($row = @ mysql_fetch_array($result)) {
// Print one row of results
print "'n<tr>'n't<td>{$row["wine_id"]}</td>" .
"'n't<td>{$row["wine_name"]}</td>" .
"'n't<td>{$row["winery_name"]}</td>" .
"'n't<td>{$row["year"]}</td>'n</tr>";
} //end while loop body
//finish table
print "'n</table>";
} //end if $rowsFound body
//Report how many rows were found
print "<br>{$rowsFound} records found matching your criteria<br>";
} //end of function
// Connect to the MySQL server
if (!($connection = @ mysql_connect(DB_HOST, DB_USER, DB_PW))) {
die("Could not connect");
}
//get user data
$wineName = $_GET['wineName'];
$wineryName = $_GET['wineryName'];
if (!mysql_select_db(DB_NAME, $connection)) {
showerror();
}
//start a query
$query = "SELECT wine_id, wine_name, winery_name, year
FROM wine, winery
WHERE wine.winery_id = winery.winery_id";
if (isset($wineName)) {
$query .= " AND wine_name = '{$wineName}'";
}
if (isset($wineryName)) {
$query .= " AND winery_name = '{$wineryName}'";
}
//order the list
$query .= " ORDER BY wine_name";
//run query, show results
displayWines($connection, $query, $wineName);
?>
</body>
</html>
//start a query
$query = "SELECT wine_id, wine_name, winery_name, year
FROM wine, winery
WHERE wine.winery_id = winery.winery_id";
if (isset($wineName)) {
$query .= " AND wine_name LIKE '%$wineName%'";
}
if (isset($wineryName)) {
$query .= " AND winery_name LIKE '%$wineryName%'";
}
//order the list
$query .= " ORDER BY wine_name";
//run query, show results
displayWines($connection, $query, $wineName);
首先,将INPUT
的名称更改为数组,例如
<input name="wine[wineName]" ...>
<input name="wine[wineryName]" ...>
现在你必须改变获取用户数据的方式:
// Define an array of allowed fields ("whitelist")
$fields = array('wineName', 'wineryName');
// Get the fields given by the user
$wine = array();
foreach($fields as $field)
if (isset($_GET['wine'][$field]))
$wine[$field] = mysql_real_escape_string($_GET['wine'][$field]);
// ... your code here ...
//start a query
$query = "SELECT wine_id, wine_name, winery_name, year
FROM wine, winery
WHERE wine.winery_id = winery.winery_id";
foreach ($wine as $field => $value) $query .= " AND ".$field." = '".$value."'";
一个重要提示:永远不要在查询中使用用户给出的输入而不转义!(参见http://php.net/manual/en/function.mysql-real-escape-string.php)
请看以下几行:
print "'n<tr>'n't<td>{$row["wine_id"]}</td>" .
"'n't<td>{$row["wine_name"]}</td>" .
"'n't<td>{$row["winery_name"]}</td>" .
"'n't<td>{$row["year"]}</td>'n</tr>";
应该是
print "'n<tr>'n't<td>{$row['wine_id']}</td>" .
"'n't<td>{$row['wine_name']}</td>" .
"'n't<td>{$row['winery_name']}</td>" .
"'n't<td>{$row['year']}</td>'n</tr>";
。数组键的双引号关闭了字符串。
注意:
因为你的导师已经说过使用过时的mysql_*函数,你不能做太多。但是请记住,您最好使用参数化的预处理语句,并将您的输入值绑定到参数(使用PDO或mysqli)。