1. 首頁
  2. 問答
  3. 無法在PHP中搜索OR語句MySQL Query

無法在PHP中搜索OR語句MySQL Query

2017-06-22 36 views
1

目前正在構建CRUD系統以跟蹤產品編號。在我爲搜索設置的查詢中,除了'p.name'之外,它似乎沒有提取任何內容,但是不會提取任何其他內容,無論我是在WHERE語句中將它放在第一位還是第二位進行搜索功能。無法在PHP中搜索OR語句MySQL Query

但是,如果我改變第二個函數中的p.name爲其他東西,它會選擇它。

如果我添加「OR p.family LIKE?」該查詢將不會執行。

這是用於產品搜索的代碼。我添加了一條評論「// - 我可以在這裏添加另一個LIKE嗎?」

<?php 
class Product{ 

    // database connection and table name 
    private $conn; 
    private $table_name = "products"; 
    private $table2_name = "deleted_products"; 

    // object properties 
    public $id; 
    public $name; 
    public $family; 
    public $number; 
    public $description; 
    public $ext_description; 
    public $category_id; 
    public $timestamp; 
    public $timestamp2; 

    public function __construct($db){ 
     $this->conn = $db; 
    } 

     public function search($search_term, $from_record_num, $records_per_page){ 

     // select query 
     $query = "SELECT 
        c.name as category_name, p.id, p.name, p.family, p.description, p.ext_description, p.number, p.category_id, p.created 
       FROM 
        " . $this->table_name . " p 
        LEFT JOIN 
         categories c 
          ON p.category_id = c.id 
       WHERE 
        p.family LIKE ? OR p.description LIKE ? 
       ORDER BY 
        p.name ASC 
       LIMIT 
        ?, ?"; 

     // prepare query statement 
     $stmt = $this->conn->prepare($query); 

     // bind variable values 
     $search_term = "%{$search_term}%"; 
     $stmt->bindParam(1, $search_term); 
     $stmt->bindParam(2, $search_term); 
     $stmt->bindParam(3, $from_record_num, PDO::PARAM_INT); 
     $stmt->bindParam(4, $records_per_page, PDO::PARAM_INT); 

     // execute query 
     $stmt->execute(); 

     // return values from database 
     return $stmt; 
    } 

    public function countAll_BySearch($search_term){ 

     // select query 
     $query = "SELECT 
        COUNT(*) as total_rows 
       FROM 
        " . $this->table_name . " p 
        LEFT JOIN 
         categories c 
          ON p.category_id = c.id 
       WHERE 
        p.name LIKE ?"; // ---- Can I add another LIKE here? 

     // prepare query statement 
     $stmt = $this->conn->prepare($query); 

     // bind variable values 
     $search_term = "%{$search_term}%"; 
     $stmt->bindParam(1, $search_term); 

     $stmt->execute(); 
     $row = $stmt->fetch(PDO::FETCH_ASSOC); 

     return $row['total_rows']; 
    } 

}

下面是用於搜索

<?php 
// core.php holds pagination variables 
include_once 'config/core.php'; 

// include database and object files 
include_once 'config/database.php'; 
include_once 'objects/product.php'; 
include_once 'objects/category.php'; 

// instantiate database and product object 
$database = new Database(); 
$db = $database->getConnection(); 

$product = new Product($db); 
$category = new Category($db); 

// get search term 
$search_term=isset($_GET['s']) ? $_GET['s'] : ''; 

$page_title = "You searched for \"{$search_term}\""; 
include_once "header.php"; 

// query products 
$stmt = $product->search($search_term, $from_record_num, $records_per_page); 
//$stmt = $product->readAll($from_record_num, $records_per_page); 

// specify the page where paging is used 
$page_url="search.php?s={$search_term}&"; 

// count total rows - used for pagination 
$total_rows=$product->countAll_BySearch($search_term); 

// read_template.php controls how the product list will be rendered 
include_once "read_template.php"; 

// footer.php holds our javascript and closing html tags 
include_once "footer.php"; 
?>

頁面如果有人可以幫助我走出這將是偉大的!謝謝。

來源

2017-06-22 DesignStuff

+0

謝謝你的提示!我如何綁定附加值?對不起,我有一段時間沒有完成PHP MySQL。 – DesignStuff

+0

我試過了,得到這個:警告:PDOStatement :: execute():SQLSTATE [HY093]:無效的參數編號:綁定變量的數量與C:\ xampp \ htdocs \ phpoop \ objects \ product中的標記數量不匹配。 PHP的在線245 – DesignStuff

+0

公共職能countAll_BySearch($ SEARCH_TERM){ \t \t //選擇查詢 \t \t $查詢=「選擇 \t \t \t \t \t COUNT(*)作爲TOTAL_ROWS \t \t \t \t FROM \t \t \t \t \t「。 $ this-> table_name。「P \t \t \t \t \t LEFT JOIN \t \t \t \t \t \t C類 \t \t \t \t \t \t \t ON p.category_id = c.id \t \t \t \t WHERE \t \t \t \t \t p.name像?或者p.descript離子喜歡?「; \t \t \t \t \t \t //準備查詢語句 \t \t $語句= $這個 - > conn->製備($查詢); \t \t $ search_term =「%{$ search_term}%」; \t \t $ stmt-> bindParam(2,$ search_term); \t \t $ stmt-> execute(); \t \t $ row = $ stmt-> fetch(PDO :: FETCH_ASSOC); \t \t return $ row ['total_rows']; \t} – DesignStuff

回答

0

你應該可以像你在第一個例子中那樣做。您需要查詢中每個值的佔位符,然後您需要爲每個佔位符綁定一個。

$query = "SELECT 
      COUNT(*) as total_rows 
      FROM 
      " . $this->table_name . " p 
      LEFT JOIN 
      categories c 
      ON p.category_id = c.id 
      WHERE 
      p.name LIKE ? OR p.description LIKE ?";  

// prepare query statement 
$stmt = $this->conn->prepare($query); 
// bind variable values 
$search_term = "%{$search_term}%"; 
$stmt->bindParam(1, $search_term); 
$stmt->bindParam(2, $search_term);

bindParam函數的第一個參數是如何映射到在查詢中的佔位符,1意味着它會與第一個佔位符。另一種語法是通過execute中的綁定。

$stmt = $this->conn->prepare($query); 
$search_term = "%{$search_term}%"; 
$stmt->execute(array($search_term, $search_term));

此外,直接在DOM中使用用戶提供的數據可以打開XSS注入。您應該避免輸入,以免惡意代碼無法執行。

$search_term=isset($_GET['s']) ? htmlspecialchars($_GET['s'], ENT_QUOTES) : '';
  1. https://en.wikipedia.org/wiki/Cross-site_scripting
  2. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

來源

2017-06-23 13:58:39 chris85

+0

**這個完全工作的人!**所以,如果我想添加更多,我只是添加更多bindParam與執行數組中的另一個搜索詞?我無法感謝你,這是我在本網站的第一次體驗,我很感謝你的幫助。 – DesignStuff

+0

是的,對於每個'?'你都需要一個'bindparam'。如果這解決了您的問題,請接受答案。你可以在這裏看到更多,https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work – chris85

+0

對不起,我不知道如何接受答案。只需點擊複選框。再次感謝! – DesignStuff

相關問題

 相關問題