如何将 LIKE'%%' 转换为用户输入 - how to turn LIKE'%%' into user input

嗨，我

正在尝试创建一个商店定位器和零件查找器，ATM 我有一个 sql 查询，它使用 LIKE 来获取所有有 1 的答案，这也连接到 php 输入以及我将如何将 LIKE'%%' 子句从特定于用户放入表单中的任何内容更改为用户放入表单中的任何内容，但获得的结果与 like 给我的结果相同，所以如果我输入 1 它如果我输入 4，则用一个显示所有部分，它也会做同样的事情。我的代码是：

<head>
        <?php
        $serverName = "127.0.0.0";
        $connectionInfo = array( "Database"=>"db", "UID"=>"id", "PWD"=>"pwd");
        $conn = sqlsrv_connect( $serverName, $connectionInfo );
        if( $conn === false ) 
        {
            die( print_r( sqlsrv_errors(), true));
        }
        $sql = "SELECT     dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
                           dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances
                FROM       dbo.Customer INNER JOIN
                           CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
                           dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN
                           Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company
                WHERE      Part.partnum LIKE '%%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150)
                ORDER BY   distances ";
        $stmt = sqlsrv_query( $conn, $sql );
        if( $stmt === false) 
        {
            die( print_r( sqlsrv_errors(), true) );
        }
        while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC) ) {
        echo $row['name']."<br/>".$row['address1']."<br/>".$row['state']."<br/>".$row['zip']."<br/>".$row['phonenum']."<br/>".$row['distances']."<br/>".$row['partnum']."<br/>"
        .$row['description']."<br/>";
        }
        sqlsrv_free_stmt( $stmt);
        ?>
</head>
    <body>
        part = <?php echo $_POST["part"];?>
    </body>

首先，我建议您使用 PDO 而不是 sqlsrv_*() 函数。下面是这样一个示例：

$sql = "SELECT     dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
                           dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances
                FROM       dbo.Customer INNER JOIN
                           CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
                           dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN
                           Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company
                WHERE      Part.partnum LIKE '%?%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150)
                ORDER BY   distances ";
$dbh = new PDO('sqlsrv:Server=localhost;Database=testdb', DB_USER, DB_PASS);
$stmt = $dbh->prepare($sql);
$stmt->execute(array($_GET['users_input']));

当调用execute()时，我添加到查询中的?将被数组中的值替换。有关详细信息，请参阅 http://www.php.net/manual/en/pdo.prepared-statements.php。

显然，您可能希望在将用户输入传递到execute()之前对其进行验证。