2015-10-31 98 views
0

我試圖通過使用Ajax的下拉檢索數據& PHP。 選擇選項值在與數據庫列名配對時工作正常,但當我將其更改爲日期特定時,它不起作用。 請通過我的代碼&建議所需的更改。基於日期檢索數據的Ajax PHP查詢

HTML:

<form> 
<select name="users" onchange="showUser(this.value)"> 
    <option value="">Select a person:</option> 
    <option value="1">July</option> // I doesn't work if when I change the value to "\'2015-07-01\' AND \'2015-07-31\'" 
    <option value="2">August</option> // I doesn't work if when I change the value to "\'2015-08-01\' AND \'2015-08-31\'" 
    <option value="3">September</option> // I doesn't work if when I change the value to "\'2015-09-01\' AND \'2015-09-30\'" 
    <option value="4">October</option> // I doesn't work if when I change the value to "\'2015-10-01\' AND \'2015-10-31\'" 
    </select> 
</form> 
<br> 
<div id="txtHint"><b>Person info will be listed here...</b></div> 

的Javascript

function showUser(str) { 
    if (str == "") { 
     document.getElementById("txtHint").innerHTML = ""; 
     return; 
    } else { 
     if (window.XMLHttpRequest) { 
      // code for IE7+, Firefox, Chrome, Opera, Safari 
      xmlhttp = new XMLHttpRequest(); 
     } else { 
      // code for IE6, IE5 
      xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); 
     } 
     xmlhttp.onreadystatechange = function() { 
      if (xmlhttp.readyState == 4 && xmlhttp.status == 200) { 
       document.getElementById("txtHint").innerHTML = xmlhttp.responseText; 
      } 
     } 
     xmlhttp.open("GET","getleads.php?q="+str,true); 
     xmlhttp.send(); 
    } 
} 

PHP:

<?php 
$q = intval($_GET['q']); 

/*Comments Start, I even tried if else with the select values being only numeric 
if($q==1) 
{ 
$q == "\'2015-07-01\' AND \'2015-07-31\'"; 
} 
elseif ($q==2) 
{ 
$q == "\'2015-08-01\' AND \'2015-08-31\'"; 
} 
elseif ($q==3) 
{ 
$q == "\'2015-09-01\' AND \'2015-09-30\'"; 
} 
} elseif ($q==4){ 
$q == "\'2015-10-01\' AND \'2015-10-31\'"; 
} else ($q==) 
{ 
$q == "*"; 
}  
Comments End*/ 

$con = mysqli_connect('localhost','user','password','database'); 
if (!$con) { 
    die('Could not connect: ' . mysqli_error($con)); 
} 

mysqli_select_db($con,"ajax_demo"); 
$sql="SELECT * FROM table WHERE ID = '".$q."'"; 
$result = mysqli_query($con,$sql); 

echo "<table> 
<tr> 
<th>Name</th> 
<th>Number</th> 
<th>Email</th> 


</tr>"; 
while($row = mysqli_fetch_array($result)) { 
    echo "<tr>"; 
    echo "<td>" . $row['frm_name'] . "</td>"; 
    echo "<td>" . $row['frm_mobile'] . "</td>"; 
    echo "<td>" . $row['frm_email'] . "</td>"; 

    echo "</tr>"; 
} 
echo "</table>"; 
mysqli_close($con); 
?> 

我甚至通過去除背部試圖從斜線的日期。 請幫忙!!

回答

1

你不應該在sql查詢中注入變量;現在,在服務器端對字符串進行硬編碼並不重要,但如果將格式更改爲接受表單中的值,則可以打開SQL注入的查詢。

您應該使用準備好的語句;那麼你不需要任何引號,如果你將來改變任何東西,你將不會無意中增加任何錯誤。

除此之外,您生成的SQL是錯誤的,退房的時候,你取消註釋您的字符串分配會發生什麼:

SELECT * FROM table WHERE ID = ''2015-07-01' AND '2015-07-31'' 

兩者的報價是錯誤的,AND語法是錯誤的。假設table不是您真正的表名。

你可能想是這樣的:

SELECT * FROM your_table WHERE your_date_field BETWEEN ? AND ? 

您可以取得任何有效的格式化的日期結合的問號。

請注意,mysql也有一個MONTH()函數,這將使您的查詢在這種特定情況下更容易。

1
i have tried the same code there is issue in your select query please try this one.. and debug.. 

first import this table 

    CREATE TABLE IF NOT EXISTS `fromtable` (
     `id` int(15) NOT NULL, 
     `frm_name` varchar(25) NOT NULL, 
     `frm_mobile` varchar(25) NOT NULL, 
     `frm_email` varchar(25) NOT NULL 
    ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; 

    -- 
    -- Dumping data for table `fromtable` 
    -- 

    INSERT INTO `fromtable` (`id`, `frm_name`, `frm_mobile`, `frm_email`) 
    VALUES 
    (1, 'abc', '987654120', '[email protected]'), 
    (2, 'pqr', '985472160', '[email protected]'); 

保持html頁面,因爲它是

getleads.php 

     <!DOCTYPE html> 
     <html> 
     <head> 
     <style> 
     table { 
      width: 100%; 
      border-collapse: collapse; 
     } 
     table, td, th { 
     border: 1px solid black; 
     padding: 5px; 
     } 

     th {text-align: left;} 
     </style> 
     </head> 
     <body> 

     <?php 
     $q = intval($_GET['q']); 
     $con = mysqli_connect('localhost','root','','dbname'); 
     if (!$con) { 
      die('Could not connect: ' . mysqli_error($con)); 
     } 

     mysqli_select_db($con,"ajax_demo"); 
     $sql="SELECT * FROM fromtable WHERE id = '".$q."'"; 
     //echo $sql;exit; 
     $result = mysqli_query($con,$sql); 
     $r = mysqli_query($con,$sql) 
     or die("Error: ".mysqli_error($con)); 

      echo "<table> 
     <tr> 
     <th>Name</th> 
     <th>Number</th> 
     <th>Email</th> 
     </tr>"; 
      while($row = mysqli_fetch_array($result,MYSQLI_ASSOC)) { 
      echo "<tr>"; 
      echo "<td>" . $row['frm_name'] . "</td>"; 
      echo "<td>" . $row['frm_mobile'] . "</td>"; 
      echo "<td>" . $row['frm_email'] . "</td>"; 
      echo "</tr>"; 
      } 
     echo "</table>"; 
     mysqli_close($con); 
     ?> 
    </body> 
    </html>