我在很多情况下选择表格时遇到问题,有人可以帮助我吗?
$tbl_name =$_POST['report'];
if($tbl_name=="dailymeal")
$select = "SELECT * FROM '$tbl_name' where a4>='$tanggal_awal' and a4 <='$tanggal_akhir'";
if($table_name="infomeal")
{ $select = "SELECT * FROM `".$tbl_name."` where tanggal >=`".$tanggal_awal."` and tanggal <=`".$tanggal_akhir."`"; }
if($table_name="keluhan")
{ $select = "SELECT * FROM `".$tbl_name."` where tlapor >=`".$tanggal_awal."` and tlapor <=`".$tanggal_akhir."`"; }
if($table_name="perjalanan")
{ $select = "SELECT * FROM `".$tbl_name."` where request_date>=`".$tanggal_awal."` and request_date <=`".$tanggal_akhir."`"; }
if($table_name="tamu")
{ $select = "SELECT * FROM `".$tbl_name."` where jam_masuk>=`".$tanggal_awal."` and jam_masuk <=`".$tanggal_akhir."`"; }
if($table_name="tiket")
{ $select = "SELECT * FROM `".$tbl_name."` where waktu_input>=`".$tanggal_awal."` and waktu_input <=`".$tanggal_akhir."`"; }
if($table_name="trx_kons")
{ $select = "SELECT * FROM `".$tbl_name."` where date_trx>=`".$tanggal_awal."` and date_trx <=`".$tanggal_akhir."`"; }
if($table_name="uniform")
{ $select = "SELECT * FROM `".$tbl_name."` where reqtime >=`".$tanggal_awal."` and reqtime <=`".$tanggal_akhir."`"; }
if($table_name="konsumable")
{ $select = "SELECT * FROM `".$tbl_name."`"; }
mysql_query('SET NAMES utf8;');
$export = mysql_query($select);
查询"位置"根本不起作用。 我尝试选择日期 1 和日期 2 之间的所有数据。我想在这里做什么?
首先,
您可能希望将所有$table_name
更改为$tbl_name
,因为就目前而言,您正在使用两个不同的变量进行表检查。或者为了使它更简单,将所有$tbl_name
实例更改为$table_name
,这将需要更少的工作。因此,在这一点上,不确定您打算使用哪个变量,或者您是否有更多代码可能没有向我们展示。
即:if($tbl_name=="dailymeal")
和if($table_name="infomeal")
因此,您很可能想要使用:
$table_name =$_POST['report'];
if($table_name=="dailymeal")
现在,您周围有引号FROM '$tbl_name'
如果您想转义,则需要删除或使用反引号。
您应该使用(或打算使用(与您在 中使用的相同方法
SELECT * FROM `".$tbl_name."`
此外,您正在分配=
,而不是使用 if($table_name="infomeal")
和许多其他方法比较==
。
您还缺少一些if($tbl_name=="dailymeal")
牙套
比较==
: http://www.php.net/manual/en/language.operators.comparison.php
作业=
: http://www.php.net/manual/en/language.operators.assignment.php
重写:
$tbl_name = $_POST['report']; // or $table_name
// or $table_name
if($tbl_name=="dailymeal"){
$select = "SELECT * FROM `".$tbl_name."` where a4>='$tanggal_awal' and a4 <='$tanggal_akhir'";
// alternate method
// $select = "SELECT * FROM $tbl_name where a4>='$tanggal_awal' and a4 <='$tanggal_akhir'";
}
if($table_name=="infomeal"){
$select = "SELECT * FROM `".$tbl_name."` where tanggal >=`".$tanggal_awal."` and tanggal <=`".$tanggal_akhir."`";
}
if($table_name=="keluhan"){
$select = "SELECT * FROM `".$tbl_name."` where tlapor >=`".$tanggal_awal."` and tlapor <=`".$tanggal_akhir."`";
}
if($table_name=="perjalanan"){
$select = "SELECT * FROM `".$tbl_name."` where request_date>=`".$tanggal_awal."` and request_date <=`".$tanggal_akhir."`";
}
if($table_name=="tamu"){
$select = "SELECT * FROM `".$tbl_name."` where jam_masuk>=`".$tanggal_awal."` and jam_masuk <=`".$tanggal_akhir."`";
}
if($table_name=="tiket"){
$select = "SELECT * FROM `".$tbl_name."` where waktu_input>=`".$tanggal_awal."` and waktu_input <=`".$tanggal_akhir."`";
}
if($table_name=="trx_kons"){
$select = "SELECT * FROM `".$tbl_name."` where date_trx>=`".$tanggal_awal."` and date_trx <=`".$tanggal_akhir."`";
}
if($table_name=="uniform"){
$select = "SELECT * FROM `".$tbl_name."` where reqtime >=`".$tanggal_awal."` and reqtime <=`".$tanggal_akhir."`";
}
if($table_name=="konsumable"){
$select = "SELECT * FROM `".$tbl_name."`";
}
mysql_query('SET NAMES utf8;');
$export = mysql_query($select);
脚注:
您当前的代码对SQL注入开放。使用预准备语句或 PDO。
mysql_*
函数弃用通知:
http://www.php.net/manual/en/intro.mysql.php
从 PHP 5.5.0 开始,此扩展已弃用,不建议用于编写新代码,因为它将来会被删除。相反,应该使用 mysqli 或 PDO_MySQL 扩展。另请参阅 MySQL API 概述,以获取选择 MySQL API 时的进一步帮助。
这些功能允许您访问 MySQL 数据库服务器。有关MySQL的更多信息可以在» http://www.mysql.com/中找到。
MySQL 的文档可以在 » http://dev.mysql.com/doc/中找到。
调试/故障排除
将错误报告添加到文件顶部,这将在生产测试期间有所帮助。
error_reporting(E_ALL);
ini_set('display_errors', 1);
- http://www.php.net/manual/en/function.mysql-error.php
- http://php.net/manual/en/function.error-reporting.php
试试这个。基本清理至少可以说揭示了一些问题:
$select = '';
$tbl_name = $_POST['report'];
if ($tbl_name == "dailymeal") {
$select = "SELECT * FROM `" . $tbl_name . "` WHERE a4 >= '$tanggal_awal' AND a4 <= '$tanggal_akhir'";
}
if ($tbl_name == "info meal") {
$select = "SELECT * FROM `" . $tbl_name . "` WHERE tanggal >= `" . $tanggal_awal . "` AND tanggal <= `".$tanggal_akhir."`";
}
if ($tbl_name == "keluhan") {
$select = "SELECT * FROM `" . $tbl_name. "` WHERE tlapor >= `" . $tanggal_awal . "` AND tlapor <= `".$tanggal_akhir."`";
}
if ($tbl_name == "perjalanan") {
$select = "SELECT * FROM `" . $tbl_name . "` WHERE request_date >= `" . $tanggal_awal . "` AND request_date <= `".$tanggal_akhir."`";
}
if ($tbl_name == "tamu") {
$select = "SELECT * FROM `" . $tbl_name . "` wh WHERE ere jam_masuk >= `" . $tanggal_awal . "` AND jam_masuk <= `".$tanggal_akhir."`";
}
if ($tbl_name == "ticket") {
$select = "SELECT * FROM `" . $tbl_name . "` WHERE waktu_input >= `" . $tanggal_awal . "` AND waktu_input <= `".$tanggal_akhir."`";
}
if ($tbl_name == "trx_kons") {
$select = "SELECT * FROM `" . $tbl_name . "` WHERE date_trx >= `" . $tanggal_awal . "` AND date_trx <=`".$tanggal_akhir."`";
}
if ($tbl_name == "uniform") {
$select = "SELECT * FROM `" . $tbl_name . "` WHERE reqtime >= `" . $tanggal_awal . "` AND reqtime <=`".$tanggal_akhir."`";
}
if ($tbl_name == "consumable") {
$select = "SELECT * FROM `" . $tbl_name . "`";
}
if (!empty($select)) {
mysql_query('SET NAMES utf8;');
$export = mysql_query($select);
}
这些问题(排名不分先后(如下:
- 你指的是某些地方的
$tbl_name
,而另一些地方的$table_name
。所以我把它们都设置为$tbl_name
. - 您的许多条件
if
语句实际上是赋值。比如这个if($table_name="perjalanan")
应该用==
所以就是这个if($tbl_name == "perjalanan")
. - 您的第一个
SELECT
有SELECT * FROM '$tbl_name'
由于单引号('
(而不起作用,所以我将它们全部更改为其余的:SELECT * FROM
"。$tbl名称 .'"`` - 整体格式设置或缺少常量格式会使调试变得困难。并导致这样的错误。虽然从技术上讲,您拥有的
if
语句不需要{
}
大括号,但我发现它们对可读性很有用。同上,基本缩进。像这样格式化代码似乎很麻烦,但归根结底,它可以节省您的时间并使代码对其他人更具可读性。 - 从技术上讲,当使用双引号时,您不必像使用双引号时那样在 PHP 中出现变量时
.
连接:"SELECT * FROM
"。$tbl名称 ."You could just write it like this: `"SELECT * FROM `$tbl_name`
,因为双引号允许字符串替换。但我只是把它留在了.
,只是添加了空格,因为我发现这种格式也更具可读性。
MySQL已被弃用。你至少应该尝试MySQLi。$table_name
从何而来?我想你的意思是$tbl_name
,对吧?你可以试试这个:
<?php
/* ESTABLISH CONNECTION */
$connect=mysqli_connect("YourHost","YourUsername","YourPassword","YourDatabase");
if(mysqli_connect_errno()){
echo "Error".mysqli_connect_error();
}
$tbl_name = mysqli_real_escape_string($connect,$_POST['report']); /* ESCAPE_STRING SUBMITTED DATA */
if($tbl_name=="dailymeal") {
$select = "SELECT * FROM dailymeal WHERE a4>='$tanggal_awal' AND a4 <='$tanggal_akhir'";
}
if($tbl_name=="infomeal")
{ $select = "SELECT * FROM infomeal WHERE tanggal>=`".$tanggal_awal."` AND tanggal <=`".$tanggal_akhir."`"; }
if($tbl_name=="keluhan")
{ $select = "SELECT * FROM keluhan WHERE tlapor>=`".$tanggal_awal."` AND tlapor <=`".$tanggal_akhir."`"; }
if($tbl_name=="perjalanan")
{ $select = "SELECT * FROM perjalanan WHERE request_date>=`".$tanggal_awal."` AND request_date <=`".$tanggal_akhir."`"; }
if($tbl_name=="tamu")
{ $select = "SELECT * FROM tamu WHERE jam_masuk>=`".$tanggal_awal."` AND jam_masuk <=`".$tanggal_akhir."`"; }
if($tbl_name=="tiket")
{ $select = "SELECT * FROM tiket WHERE waktu_input>=`".$tanggal_awal."` AND waktu_input <=`".$tanggal_akhir."`"; }
if($tbl_name=="trx_kons")
{ $select = "SELECT * FROM trx_kons WHERE date_trx>=`".$tanggal_awal."` AND date_trx <=`".$tanggal_akhir."`"; }
if($tbl_name=="uniform")
{ $select = "SELECT * FROM uniform WHERE reqtime>=`".$tanggal_awal."` AND reqtime <=`".$tanggal_akhir."`"; }
if($tbl_name=="konsumable")
{ $select = "SELECT * FROM konsumable"; }
if(empty($select)){
"Please fill the text box properly.";
}
else {
mysqli_query('SET NAMES utf8;');
$export = mysqli_query($connect,$select);
}
?>
- 使用了错误的变量名。$table_name 应为 $tbl_name。
- 您是在其他条件中分配,而不是比较。 == 而不是 =
- 串联是错误的。多加注意。
- 我建议使用,否则。但是让我们坚持你的结构。
也许,试试这个:
$tbl_name = $_POST['report'];
if($tbl_name=="dailymeal")
{ $select = "SELECT * FROM `".$tbl_name."` where a4>=`".$tanggal_awal."` and a4 <=`".$tanggal_akhir."`"; }
if($tbl_name=="infomeal")
{ $select = "SELECT * FROM `".$tbl_name."` where tanggal >=`".$tanggal_awal."` and tanggal <=`".$tanggal_akhir."`"; }
if($tbl_name=="keluhan")
{ $select = "SELECT * FROM `".$tbl_name."` where tlapor >=`".$tanggal_awal."` and tlapor <=`".$tanggal_akhir."`"; }
if($tbl_name=="perjalanan")
{ $select = "SELECT * FROM `".$tbl_name."` where request_date>=`".$tanggal_awal."` and request_date <=`".$tanggal_akhir."`"; }
if($tbl_name=="tamu")
{ $select = "SELECT * FROM `".$tbl_name."` where jam_masuk>=`".$tanggal_awal."` and jam_masuk <=`".$tanggal_akhir."`"; }
if($tbl_name=="tiket")
{ $select = "SELECT * FROM `".$tbl_name."` where waktu_input>=`".$tanggal_awal."` and waktu_input <=`".$tanggal_akhir."`"; }
if($tbl_name=="trx_kons")
{ $select = "SELECT * FROM `".$tbl_name."` where date_trx>=`".$tanggal_awal."` and date_trx <=`".$tanggal_akhir."`"; }
if($tbl_name=="uniform")
{ $select = "SELECT * FROM `".$tbl_name."` where reqtime >=`".$tanggal_awal."` and reqtime <=`".$tanggal_akhir."`"; }
if($tbl_name=="konsumable")
{ $select = "SELECT * FROM `".$tbl_name."`"; }
mysql_query('SET NAMES utf8;');
$export = mysql_query($select);
如果有人向您的参数发送表名以外的内容($_POST['report'];),您也有很高的注入攻击风险
在此处阅读有关注入攻击的更多信息:绕过 mysql_real_escape_string(( 的 SQL 注入
您可以使用 SQL 中的 BETWEEN 和用于存储表和列之间关系的哈希表大大简化此代码。
$table_fields = array(
"dailymeal" => "a4",
"infomeal" => "tanggal",
"keluhan" => "tlapor",
...
);
$tbl_name = $_POST['report'];
// check to make sure that tbl_name is a proper table name - don't trust the user input!
$field_nm = $table_fields[$tbl_name];
$select = "SELECT * FROM $tbl_name where $tanggal_awal BETWEEN $field_nm and $field_nm";
您还可以执行其他一些清理操作,例如确保正确转义值和/或使用绑定变量,但基本思想是识别逻辑中的模式并使用它们来简化代码。