我正在構建基於用戶正在應用的過濾器的查詢。一切正常,我想要拉取數據。我現在已經到了安全的地步。我怎樣才能讓這個安全時加入我的「WHERE」可以有多個過濾器。關於過濾查詢的php參數化查詢
$sql_Year = $_GET['year'];
$sql_Model = $_GET['model'];
$sql_Style = $_GET['style'];
$sql_Color = $_GET['color'];
if (!empty($sql_Year)) $insertY .= " and Year='$sql_Year'";
if (!empty($sql_Model)) $insertY .= " and Model='$sql_Model'";
if (!empty($sql_Style)) $insertY .= " and Body='$sql_Style'";
if (!empty($sql_Color)) $insertY .= " and Colour='$sql_Color'";
$stmt = $con->prepare("SELECT DISTINCT(`Year`) FROM `cars` WHERE `New/Used` = 'N' ".$insertY." ORDER BY `Year` ASC ");
$stmt->execute();
$stmt->bind_result($Year);
while ($row = $stmt->fetch()) {
}
我跟着你的意見和做陣列。我現在得到一個錯誤:mysqli_stmt :: bind_param()[mysqli-stmt.bind-param]:類型定義字符串中的元素數量與綁定變量的數量不匹配。我的新代碼是:
$get_Year = $_GET['year'];
$get_Model = $_GET['model'];
$get_Style = $_GET['style'];
$get_Color = $_GET['color'];
$YearArray = array();
$YearValues .= "WHERE `New/Used`=?";
$YearTypes .= "s";
array_push($YearArray, "U");
if ($get_Year != "") {
$YearValues .= " and `Year`=?";
$YearTypes .= "s";
array_push($YearArray, "2004");
}
if ($get_Model != "") {
$YearValues .= " and Model=?";
$YearTypes .= "s";
array_push($YearArray, $get_Model);
}
if ($get_Style != "") {
$YearValues .= " and Body=?";
$YearTypes .= "s";
array_push($YearArray, $get_Style);
}
if ($get_Color != "") {
$YearValues .= " and Colour=?";
$YearTypes .= "s";
array_push($YearArray, $get_Color);
}
$YearVariables = implode(',', $YearArray);
$stmt = $con->prepare("SELECT DISTINCT(`Year`) FROM `cars` ".$YearValues." ORDER BY `Year` ASC ");
$stmt->bind_param($YearTypes, $YearVariables);
$stmt->execute();
$stmt->bind_result($Year);
我可以像這樣使用bind_param數組嗎?
你需要建立兩個平行陣列:一個是「價值」您正在使用,以及一個用於「佔位符」。最後你把它們放在一起,最終得到一個充滿活力的預備聲明,這在某種程度上是矛盾的。 –
我用你的建議做了一些更新。請用新代碼查看我的編輯。謝謝!尋求進一步的幫助。 – 1wayrocker
http://stackoverflow.com/questions/11231597/ignore-particular-where-criteria –