我需要在php中进行sql查询来搜索一些条目(因此使用WHERE)。但用于搜索的字段可以是可变的数字。
我有一个带有搜索表单的页面,其中有4个字段。它通过POST
将字段发送到search.php以进行查询:
$gomme_sql = $data->query("SELECT * FROM table WHERE parameter1 = '$_POST['name1']' AND parameter2 = '$_POST['name2']' ORDER BY id ASC");
但我不知道哪个字段被填满了。因此,如果我没有在搜索表单的field1
中输入任何内容,那么在WHERE查询中就不应该有parameter1 = '$_POST['name1']'
。
你知道如何获得这个吗?
感谢
您可以在将子句附加到查询之前检查post数据,方法如下:
编辑:添加附加检查:
$sql="select something from someTable ";
if(!empty($_POST['name1']) || !empty($_POST['name2'])) // add as many as you like
{
$sql.=" where ";
if(!empty($_POST['name1']))
{
$sql.="parameter1= $_POST['name1']";
}
// etc etc...
}
$sql.=" ORDER BY id ASC";
等等
话虽如此,请使用准备好的语句和用户的此类输入。这是SUPER对sql注入的开放。请阅读以下内容:如何防止PHP中的SQL注入?
如果您需要更复杂的sql,只需修改它,就可以像这样编写通用的sql选择函数。
<?php
function sqlSelect($table, $sel, $wh = '', $groupby = '', $order = '', $add = '') {
$tb = $table;
if (is_array($table)) {
$tb = implode(',', $table);
}
if ($wh) {
if (is_array($wh)) {
$w = array();
foreach ($wh as $k => $v) {
$v = mysqli_real_escape_string($v);
if (is_null($v))
$w [] = "$k=null ";
else
$w [] = "$k ='$v'";
}
$wh = 'where ' . implode(' and ', $w);
}else {
$wh = "where $wh";
}
}
if ($groupby)
$groupby = "group by $groupby";
if ($order)
$order = "order by $order";
$sql = "select $sel from $tb $wh $groupby $order $add ";
return $sql;
}
//set _GET as this is console test
$_GET['name1']='Bob';
$where = array(
'name1'=>$_GET['name1']
);
echo sqlSelect('sometable' , '*' , $where) ."'n";
// select * from sometable where name1 ='Bob'
//or some complex stuff
echo sqlSelect('persons', "age,status" , array('name'=>'Maria' , 'likes'=>'PHP') , null, 'age' , 'limit 20');
//select age,status from persons where name ='Maria' and likes ='PHP' order by age limit 20