1. 首頁
  2. 問答
  3. mysql查詢返回整個表

mysql查詢返回整個表

2013-05-28 39 views
0

我正在使用這個PHP執行搜索,但它從表中返回所有內容,而不是與搜索相關的任何內容......我也遇到了「mysqli_real_escape_string」錯誤,但我不是確定它是否相關。mysql查詢返回整個表

<?php 
$con=mysqli_connect("***","***","***","***"); 
// Check connection 
if (mysqli_connect_errno()) 
    { 
    echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
    } 
?> 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
    <title>Search results</title> 
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
    <link rel="stylesheet" type="text/css" href="style.css"/> 
</head> 
<body> 
<?php 
    $query = $_GET['query']; 
    // gets value sent over search form 

    $min_length = 3; 
    // you can set minimum length of the query if you want 

    if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then 

     $query = htmlspecialchars($query); 
     // changes characters used in html to their equivalents, for example: < to &gt; 

     $query = mysqli_real_escape_string($query); 
     // makes sure nobody uses SQL injection 

     $raw_results = mysqli_query($con,"SELECT * FROM test_table 
      WHERE ('email' LIKE '%".$query."%') OR ('pw' LIKE '%".$query."%')") or die(mysqli_error()); 

     if(mysqli_num_rows($raw_results) > 0){ // if one or more rows are returned do following 

      echo "<table border='1'> 
      <tr> 
      <th>email</th> 
      <th>pw</th> 
      </tr>"; 

      while($results = mysqli_fetch_array($raw_results)){ 
      // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop 

       echo "<tr><td>".$results['email']."</td><td>".$results['pw']."</td></tr>"; 
       //echo "<p><h3>".$results['email']."</h3>".$results['pw']."<br/>".$results['ID']."</p>"; 

      } 

     } 
     else{ // if there is no matching rows do following 
      echo "No results"; 
     } 

    } 
    else{ // if query length is less than minimum 
     echo "Minimum length is ".$min_length; 
    } 
?> 
</body> 
</html>

來源

2013-05-28 Dan w

回答

0

您的查詢不正確。你應該使用反引號,而不是引用

$raw_results = mysqli_query($con,"SELECT * FROM test_table 
     WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')") or 
die(mysqli_error());

此外,mysqli_real_escape_string要求第一個參數是$ CON

$query = mysqli_real_escape_string($con, $query);

來源

2013-05-28 04:10:04 Robbert

0 
WHERE ('email' LIKE '%".$query."%') OR ('pw' LIKE '%".$query."%')"

你是錯的逸出列名,他們應該被轉義反引號,而不是單引號;

'email' -- the string "email". 
`email` -- the column "email".

換句話說,它應該是;

WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')"

作爲一個側面說明,你會更好使用參數化查詢比建查詢作爲使用mysqli_real_escape_string()字符串。這對安全性更好,並且它使查詢可以緩存到數據庫中。

如果您打算將它與過程類型調用一起使用(就像您一樣),您需要將連接作爲第一個參數傳遞給它;

$query = mysqli_real_escape_string($con, $query);

來源

2013-05-28 04:10:11

+0

謝謝!這固定它......只要參數化查詢而不是轉義字符串,你有任何建議閱讀爲我學習如何做到這一點? –

+0

@ user1958605 [This](http://www.dreamincode.net/forums/topic/54239-introduction-to-mysqli-and-prepared-statements/)是一個相當體面的快速入門,顯示了查詢的不同風格。 –

0

您需要引用不同的查詢。試試這個:

"SELECT * FROM test_table WHERE (`email` LIKE '%" . $query . "%') OR (`pw` LIKE '%" . $query . "%')"

而且你mysqli_real_escape_string需要在它的$ CON喜歡:

mysqli_real_escape_string($con, $query)

來源

2013-05-28 04:12:34 chrislondon

相關問題

 相關問題