Php不正確ID

Question

我需要取得酒店的正確酒店編號，其下面的代碼有一些錯誤，而用戶選擇酒店並顯示錯誤的酒店信息。

這裏連接錯誤網址： Error url

if(isset($_REQUEST["result"])) 
{ 
$search = $_REQUEST["result"]; 
$checkin = $_REQUEST["checkin"]; 
$checkout = $_REQUEST["checkout"]; 
$guest = $_REQUEST["guest"]; 

$query = "select * from hotel,room_type WHERE hotel.hotel_id = room_type.hotel_id and hotel.hotel_address LIKE '%".$search."%' or hotel.hotel_city LIKE '%".$search."%' or hotel.hotel_state LIKE '%".$search."%' or hotel.hotel_name LIKE '%".$search."%' AND room_type.room_available_from >='$checkin' AND room_type.room_available_till <='$checkout' AND room_type.room_guest = '$guest' group by hotel.hotel_id"; 
$result = mysqli_query($conn,$query); 

} 

下面的代碼顯示了酒店的列表，它顯示相同HOTEL_ID：

<?php 
    while($row = mysqli_fetch_array($result)) 
    { 
     $hid = $row["hotel_id"]; 
     $url = 'hid='.$row["hotel_id"].'&checkin='.$checkin.'&checkout='.$checkout.''; 
       ?> 
     <div class="list-body" onclick="window.location.href='hotel.php?<?php echo $url ?>'"> 
        <div class="col-photo"> 
         <?php 
         $img_result = mysqli_query($conn,"SELECT * FROM hotel_images where hotel_id = $hid"); 
         $r = mysqli_fetch_assoc($img_result); 
         ?> 
         <img src="../img/hotel/<?php echo $r["hotel_image"]?>"> 
     </div> 
     <div class="col-info"> 
      <div class="info-content"> 
      <div class="col-title"> 
        <h3><?php echo $row["hotel_name"] ?></h3> 
     </div> 

Answer 1

問題出在你的SQL。

select DISTINCT hotel.hotel_id, * from hotel 
inner join room_type on room_type.hotel_id = hotel.hotel_id 
where (hotel.hotel_address LIKE '%".$search."%' 
or hotel.hotel_city LIKE '%".$search."%' 
or hotel.hotel_state LIKE '%".$search."%' 
or hotel.hotel_name LIKE '%".$search."%') 
AND room_type.room_available_from >='$checkin' 
AND room_type.room_available_till <='$checkout' 
AND room_type.room_guest = '$guest' 

2個更多的東西，壽：

• 你不應該做內環路（$ img_result應該是循環外），因爲它們的性能重（分貝成爲bottle.neck）SQL查詢
• 你的sql很容易受到sql注入的影響。您應該使用準備好的語句（PDO）或類似的技術或至少過濾用戶輸入