1. 首页
  2. 问答
  3. SQL高级搜索/忽略空查询

SQL高级搜索/忽略空查询

2016-11-16 142 views
0

我在我的网站上创建高级搜索功能来搜索。我有5个可用于搜索特定帐户(姓,名,用户名,注册日期和帐户等级)的字段,并且所有字段必须匹配或1(或更多)字段必须匹配的选项。用户输入的值通过Javascript发布到PHP文件中。 PHP文件然后完成搜索。SQL高级搜索/忽略空查询

目前,“AND”搜索作为空白值不会影响搜索结果,因为其他值仍必须匹配。但是,“OR”并不如空白搜索框会使其他记录显示为与“LIKE%”匹配。$变量。“%”搜索变量为空时。

我需要找出一种方法让系统忽略空盒子,但是,我正在努力寻找一种合适的方式,而不会导致错误的SQL代码在错误的地方使用“OR” 。所以任何建议都会很好。

由于提前, 汤姆

PHP

<?php 
//Retrieves variables from Javascript. 
$Surname = $_POST["Surname"]; 
$Forename = $_POST["Forename"]; 
$Username = $_POST["Username"]; 
$Joined = $_POST["Joined"]; 
$Rank = $_POST["Rank"]; 
$ANDOR = $_POST["ANDOR"]; 

$data = 0; 

include "db/openlogindb.php"; 
if($DBError == true){ 
    $data = 3; 
} 
else{ 

    if($ANDOR == "AND"){ 
     $UserSearch = "SELECT username, surname, forename, joined, rank FROM users 
     WHERE surname LIKE '%".$Surname."%' 
     AND forename LIKE '%".$Forename."%' 
     AND username LIKE '%".$Username."%' 
     AND joined LIKE '%".$Joined."%' 
     AND rank LIKE '%".$Rank."%' 
     ORDER BY surname"; 
    } 
    else if($ANDOR == "OR"){ 
     $UserSearch = "SELECT username, surname, forename, joined, rank FROM users 
     WHERE surname LIKE '%".$Surname."%' 
     OR forename LIKE '%".$Forename."%' 
     OR username LIKE '%".$Username."%' 
     OR joined LIKE '%".$Joined."%' 
     OR rank LIKE '%".$Rank."%' 
     ORDER BY surname"; 
    } 
    else{ 
     $data = 2; 
    } 

    if($data == 0){ 
     $results = mysqli_query($conn, $UserSearch); 

     if(mysqli_num_rows($results) == 0){ 
      $data = 1; 
     } 
     else{ 
      $data = ''; 

      while($row = mysqli_fetch_assoc($results)){ 
       $data .= '<tr><td>'.$row['surname'].'</td><td>'.$row['forename'].'</td><td>'.$row['username'].'</td><td>'.$row['joined'].'</td><td>'.$row['rank'].'</td><td><button type="button" class="btn btn-block btn-primary btn-xs" onClick="ChangePassOpen(\''.$row['username'].'\')">Change Password</button></td></tr>'; 
      } 
     } 
    } 
} 

include "db/closelogindb.php"; 

echo $data; 
?>

HTML/JavaScript的 http://thomas-smyth.co.uk/admin/accountlist.php

来源

2016-11-16 Thomas Smyth

+5

你是相当开放[SQL注入(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php).. – Naruto

+0

请参阅SQL安全性文档。查询准备比这种非转义的查询更安全 – Bobot

+0

叶,它在我的列表上。事实上,我会在解决这个问题后进行分类。虽然您有任何想法,考虑到即使在对SQL注入保护进行排序时仍然需要解决此问题。 –

回答

2 
<?php 
// Create the array to store the variables 
$array = array(); 

//Retrieves variables from Javascript. 
//Where $conn is your database connection 
if (isset($_POST["Surname"])) $array['surname'] = mysqli_real_escape_string($conn, $_POST["Surname"]); 
if (isset($_POST["Forename"])) $array['forename'] = mysqli_real_escape_string($conn, $_POST["Forename"]); 
if (isset($_POST["Username"])) $array['username'] = mysqli_real_escape_string($conn, $_POST["Username"]); 
if (isset($_POST["Joined"])) $array['joined'] = mysqli_real_escape_string($conn, $_POST["Joined"]); 
if (isset($_POST["Rank"])) $array['rank'] = mysqli_real_escape_string($conn, $_POST["Rank"]); 
if (isset($_POST["ANDOR"])) $ANDOR = mysqli_real_escape_string($conn, $_POST["ANDOR"]); 

$data = 0; 

include "db/openlogindb.php"; 
if($DBError == true){ 
    $data = 3; 
} 
else{ 

//Make a variable to check for the last key in the array 
$last_key = end(array_keys($array)); 

if($ANDOR == 'AND'){ 
     $UserSearch = "SELECT "; 
     foreach ($array as $key => $value) 
       { 
        $UserSearch .= $key; 
        if ($last_key != $key) $UserSearch .= ', '; 
       } 
       $UserSearch .= ' FROM users WHERE '; 

       foreach ($array as $key => $value) 
       { 
        $UserSearch .= $key . ' LIKE %"' . $value . '"%'; 
        if ($last_key != $key) $UserSearch .= ' AND '; 
       } 
     } 
    else if($ANDOR == 'OR'){ 
     $UserSearch = "SELECT "; 
     foreach ($array as $key => $value) 
       { 
        $UserSearch .= $key; 
        if ($last_key != $key) $UserSearch .= ', '; 
       } 
       $UserSearch .= ' FROM users WHERE '; 

       foreach ($array as $key => $value) 
       { 
        $UserSearch .= $key . ' LIKE %"' . $value . '"%'; 
        if ($last_key != $key) $UserSearch .= ' OR '; 
       } 
     } 
    else{ 
     $data = 2; 
    } 

    if($data == 0){ 
     $results = mysqli_query($conn, $UserSearch); 

     if(mysqli_num_rows($results) == 0){ 
      $data = 1; 
     } 
     else{ 
      $data = ''; 

      while($row = mysqli_fetch_assoc($results)){ 
       $data .= '<tr><td>'.$row['surname'].'</td><td>'.$row['forename'].'</td><td>'.$row['username'].'</td><td>'.$row['joined'].'</td><td>'.$row['rank'].'</td><td><button type="button" class="btn btn-block btn-primary btn-xs" onClick="ChangePassOpen(\''.$row['username'].'\')">Change Password</button></td></tr>'; 
      } 
     } 
    } 
} 

include "db/closelogindb.php"; 

echo $data; 
?>

来源

2016-11-16 15:27:32 Jacey

+0

我找到了我需要的一个修复程序,我现在要发布。但是,您发布的内容是否包含对SQL注入的保护?如果是这样,它可能是一个更好的解决方案,我目前正在测试。我现在正在阅读SQL注入,虽然收效甚微,但我仍然对如何实现它等方面仍然有些无知。 –

+1

假设您使用MySQL数据库,mysqli_escape_string()函数有助于防止SQL注入。我不确定什么数据格式“等级”是,但你可以通过像这样类型化他们来使你的输入更安全: – Jacey

+1

'if(isset($ _ POST [“Rank”]))(int)$ array ['rank '] = mysqli_real_escape_string($ conn,$ _POST [“Rank”]);' – Jacey

0

这可能是完美远,但它确实工作。我打算在读完它后立即添加SQL注入保护。

<?php 
//Retrieves variables from Javascript. 
$Surname = $_POST["Surname"]; 
$Forename = $_POST["Forename"]; 
$Username = $_POST["Username"]; 
$Joined = $_POST["Joined"]; 
$Rank = $_POST["Rank"]; 
$ANDOR = $_POST["ANDOR"]; 

if($Surname == ""){ 
    $Surname = "xxxxxxxxxx"; 
} 
if($Forename == ""){ 
    $Forename = "xxxxxxxxxx"; 
} 
if($Username == ""){ 
    $Username = "xxxxxxxxxx"; 
} 
if($Joined == ""){ 
    $Joined = "xxxxxxxxxx"; 
} 
if($Rank == ""){ 
    $Rank = "xxxxxxxxxx"; 
} 

$data = 0; 

include "db/openlogindb.php"; 
if($DBError == true){ 
    $data = 3; 
} 
else{ 

    if($ANDOR == "AND"){ 
     $UserSearch = "SELECT username, surname, forename, joined, rank FROM users 
     WHERE surname LIKE '%".$Surname."%' 
     AND forename LIKE '%".$Forename."%' 
     AND username LIKE '%".$Username."%' 
     AND joined LIKE '%".$Joined."%' 
     AND rank LIKE '%".$Rank."%' 
     ORDER BY surname"; 
    } 
    else if($ANDOR == "OR"){ 
     $UserSearch = "SELECT username, surname, forename, joined, rank FROM users 
     WHERE surname LIKE '%".$Surname."%' 
     OR forename LIKE '%".$Forename."%' 
     OR username LIKE '%".$Username."%' 
     OR joined LIKE '%".$Joined."%' 
     OR rank LIKE '%".$Rank."%' 
     ORDER BY surname"; 
    } 
    else{ 
     $data = 2; 
    } 

    if($data == 0){ 
     $results = mysqli_query($conn, $UserSearch); 

     if(mysqli_num_rows($results) == 0){ 
      $data = 1; 
     } 
     else{ 
      $data = ''; 

      while($row = mysqli_fetch_assoc($results)){ 
       $data .= '<tr><td>'.$row['surname'].'</td><td>'.$row['forename'].'</td><td>'.$row['username'].'</td><td>'.$row['joined'].'</td><td>'.$row['rank'].'</td><td><button type="button" class="btn btn-block btn-primary btn-xs" onClick="ChangePassOpen(\''.$row['username'].'\')">Change Password</button></td></tr>'; 
      } 
     } 
    } 
} 

include "db/closelogindb.php"; 

echo $data; 
?>

来源

2016-11-16 15:40:53

相关问题

 相关问题