我有一个HTML表单供用户选择国家,地区,卧室号码和价格。
<form action="" enctype="" method="POST">
<p>Property Search
<select name="search_country">
<option value="">Select a country</option>
<option value="uk">UK</option>
<option value="france">France</option>
</select>
<select name="search_region">
<option value="">Select a region</option>
<option value="london">London</option>
<option value="birmingham">Birmingham</option>
<option value="paris">Paris</option>
<option value="calais">Calais</option>
</select>
<select name="search_bedroomnumber">
<option value="">Select number of bedrooms</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select>
<input type="submit" name="search_submit" value="Search" />
我目前查询数据库的方式是所选表单选项的每个变体的 if 语句,如下所示:
if($_POST['search_country'] == "uk" and $_POST['search_region'] == "london" and $_POST['search_bedroomnumber'] == 4) {
$sqlcommand = "(SELECT * FROM properties
WHERE country = 'uk'
AND region = 'london'
AND bedroomnumber = 4
ORDER BY price ASC
$properties = Properties::find_by_sql($sqlcommand);
};
有很多选择,这将需要大量的if语句,我相信有一种更有效的方法,我没有看到(这里非常业余的程序员)。
任何建议将不胜感激。谢谢。
PDO就是答案!
结合filter_input
,实现最大效果
收集所有参数:(添加清理)
$country = isset($_POST['country']) ? $_POST['country'] : 'uk';
...
编写查询:
$sql = 'SELECT * FROM properties
WHERE country = :country
AND region = :region
AND bedroomnumber = :bedroomnumber
ORDER BY price ASC';
准备查询
$stmt = $db->prepare($sql);
绑定参数:
$stmt->bindParam(':country', $country);
...
执行并获取:
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
<?php
if($_POST['search_country'] && $_POST['search_region'] && $_POST['search_bedroomnumber']) {
$country = $_POST['search_country'];
$region = $_POST['search_region'];
$bedroomNo = $_POST['search_bedroomnumber'];
$sqlcommand = "SELECT * FROM properties WHERE country = '$country' AND region = '$region' AND bedroomnumber = $bedroomNo ORDER BY price ASC ";
$properties = Properties::find_by_sql($sqlcommand);
}
?>
你根本不需要那些 IF 的。只需将所有预期的 GET 或 POST 值分配给一个变量,并在转义后将这些变量放入 SQL 代码中。
必须查看 http://php.net/manual/en/mysqli.real-escape-string.php,您可以在转义后将 $_POST 中的所有变量获取到变量中,然后在查询中使用它。
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
$country = $mysqli->real_escape_string($_POST['search_country']);
$region = $mysqli->real_escape_string($_POST['search_region']);
$bedroom = $mysqli->real_escape_string($_POST['search_bedroomnumber']);
$sql = "SELECT * FROM properties
WHERE country = '$country'
AND region = '$region'
AND bedroomnumber = $bedroom
ORDER BY price ASC" ;
然后您可以使用此$sql。
确保您在检查空输入等地方也有其他检查。