1. 首頁
  2. 問答
  3. 過濾如果只有一個過濾器選擇

過濾如果只有一個過濾器選擇

2013-05-08 52 views
0

我必須做出一個汽車網站,過濾取決於預設的mysql數據庫上車。 如果所有被選中我已完成了過濾(如:本田,白,汽油,而不是特殊 - 它會顯示,汽車),但如果我只是想看到所有的本田(例如)沒有任何顯示。過濾如果只有一個過濾器選擇

這是我的代碼:

if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) ||   isset($_GET['special'])){ 

if(isset($_GET['make'])){ 
$make = $_GET['make']; 
} 

if(isset($_GET['colour'])){ 
$colour = $_GET['colour']; 
} 

if(isset($_GET['fueltype'])){ 
$fueltype = $_GET['fueltype']; 
} 

if(isset($_GET['special'])){ 
$special = $_GET['special']; 
} 

$result = mysqli_query($con,"SELECT * FROM Cars WHERE MAKE ='$make' AND COLOUR = '$colour' AND FUELTYPE = '$fueltype' AND SPECIAL = '$special'"); 
} 



else{ 
$result = mysqli_query($con,"SELECT * FROM Cars"); 
}

else語句使所有的汽車出現,當你過濾前打開網頁。

來源

2013-05-08 user2136106

+2

**注:**有[SQL注入(高可能性HTTP ://en.wikipedia.org/wiki/SQL_injection)攻擊。 – BlitZ 2013-05-08 07:53:18

回答

0

轉義可能意味着:mysql_escape_string,檢查有效/允許值的列表,或想好後想要的任何東西。

$where = ""; 
$separator = " WHERE "; 

if(isset($_GET['make'])){ 
    $make = $_GET['make']; 
    !! escape here 
    $where .= $separator . " MAKE = '$make' "; 
    $separator = " AND "; 
} 

if(isset($_GET['colour'])){ 
    $colour = $_GET['colour']; 
    !! escape here 
    $where .= $separator . " COLOUR = '$colour' "; 
    $separator = " AND "; 
} 

... 

$result = mysqli_query($con,"SELECT * FROM Cars " . $where);

來源

2013-05-08 08:01:27 flaschenpost

0

這裏是你可以怎麼做。請爲SQL注入攻擊做些事情。這僅僅是一個例子。

$query = "SELECT * FROM Cars "; 
$where = array(); 

if(isset($_GET['make'])){ 
    $where['make'] = $_GET['make']; 
} 

if(isset($_GET['colour'])){ 
    $where['colour'] = $_GET['colour']; 
} 

if(isset($_GET['fueltype'])){ 
    $where['fueltype'] = $_GET['fueltype']; 
} 

if(isset($_GET['special'])){ 
    $where['special'] = $_GET['special']; 
} 

$string = ''; 
if(count($where)>0){ 
    $i=0; 
    foreach($where as $key => $value) 
    { 
     if($i==0){ 
      $string .= " WHERE $key = $value "; 
     }else{ 
      $string .= " AND $key = $value "; 
     } 
    $i++; 
    } 
} 
$query .= $string; 

mysqli_query($query);

來源

2013-05-08 08:03:48

+0

添加http://www.php.net/manual/en/mysqli.real-escape-string.php,這是最好的解決方案。 – Adder 2013-05-08 08:10:11

+0

什麼是sql注入攻擊?它只有一個大學項目,它不會在互聯網上生活,我還必須做些什麼,如果是的話,怎麼樣? – user2136106 2013-05-08 08:22:38

+0

@ user2136106看到[this](http://www.zdnet.com/sql-injection-attack-what-is-it-and-how-to-prevent-it-7000000881/)和[this](http: //www.acunetix.com/websitesecurity/sql-injection/)。雖然這可能是拼貼項目,但您應該學會防止sql注入。另外在拼貼項目中,應用安全性將成爲您的加點。 – 2013-05-08 08:47:03

0 
if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) ||   isset($_GET['special'])){ 
$where="WHERE "; 
if(isset($_GET['make'])){ 
$make = $_GET['make']; 
$where .="MAKE ='$make' AND"; 
} 

if(isset($_GET['colour'])){ 
$colour = $_GET['colour']; 
$where .="COLOUR = '$colour' AND"; 
} 

if(isset($_GET['fueltype'])){ 
$fueltype = $_GET['fueltype']; 
$where .="FUELTYPE = '$fueltype' AND"; 
} 

if(isset($_GET['special'])){ 
$special = $_GET['special']; 
$where .="SPECIAL = '$special"; 
} 
$where=rtrim($where,'AND'); 

$result = mysqli_query($con,"SELECT * FROM Cars".$where); 
} 



else{ 
$result = mysqli_query($con,"SELECT * FROM Cars"); 
}

來源

2013-05-08 08:04:00 Amir

0

忽略了安全問題,你可以像這樣的東西取代你的整個代碼:

$query = "SELECT * FROM Cars WHERE 1 = 1"; 

if (isset($_GET['make'])) 
    $query .= ' AND MAKE = ' . (int) $_GET['make']; 

if (isset($_GET['colour'])) 
    $query .= ' AND COLOUR = ' . (int) $_GET['colour']; 

if (isset($_GET['fueltype'])) 
    $query .= ' AND FUELTYPE = ' . (int) $_GET['fueltype']; 

if (isset($_GET['special'])) 
    $query .= ' AND SPECIAL = ' . (int) $_GET['special']; 

$result = mysqli_query($con, $query);

來源

2013-05-08 08:07:07 medina

+0

爲什麼你的if語句沒有{}?我如何在這裏添加其他的東西呢?對不起,如果這是一個愚蠢的問題,這是我的全部新 – user2136106 2013-05-08 08:25:05

+0

如果'if'聲明沒有括號,下一條指令將只有在條件爲真執行。您可以在該指令後面添加其他字符,括號內的規則與上述相同。無論如何,這是一個糟糕的做法,你應該總是使用括號 – 2013-05-08 09:01:58

相關問題

 相關問題