我在我的网站上创建高级搜索功能来搜索。我有5个可用于搜索特定帐户(姓,名,用户名,注册日期和帐户等级)的字段,并且所有字段必须匹配或1(或更多)字段必须匹配的选项。用户输入的值通过Javascript发布到PHP文件中。 PHP文件然后完成搜索。SQL高级搜索/忽略空查询
目前,“AND”搜索作为空白值不会影响搜索结果,因为其他值仍必须匹配。但是,“OR”并不如空白搜索框会使其他记录显示为与“LIKE%”匹配。$变量。“%”搜索变量为空时。
我需要找出一种方法让系统忽略空盒子,但是,我正在努力寻找一种合适的方式,而不会导致错误的SQL代码在错误的地方使用“OR” 。所以任何建议都会很好。
由于提前, 汤姆
PHP
<?php
//Retrieves variables from Javascript.
$Surname = $_POST["Surname"];
$Forename = $_POST["Forename"];
$Username = $_POST["Username"];
$Joined = $_POST["Joined"];
$Rank = $_POST["Rank"];
$ANDOR = $_POST["ANDOR"];
$data = 0;
include "db/openlogindb.php";
if($DBError == true){
$data = 3;
}
else{
if($ANDOR == "AND"){
$UserSearch = "SELECT username, surname, forename, joined, rank FROM users
WHERE surname LIKE '%".$Surname."%'
AND forename LIKE '%".$Forename."%'
AND username LIKE '%".$Username."%'
AND joined LIKE '%".$Joined."%'
AND rank LIKE '%".$Rank."%'
ORDER BY surname";
}
else if($ANDOR == "OR"){
$UserSearch = "SELECT username, surname, forename, joined, rank FROM users
WHERE surname LIKE '%".$Surname."%'
OR forename LIKE '%".$Forename."%'
OR username LIKE '%".$Username."%'
OR joined LIKE '%".$Joined."%'
OR rank LIKE '%".$Rank."%'
ORDER BY surname";
}
else{
$data = 2;
}
if($data == 0){
$results = mysqli_query($conn, $UserSearch);
if(mysqli_num_rows($results) == 0){
$data = 1;
}
else{
$data = '';
while($row = mysqli_fetch_assoc($results)){
$data .= '<tr><td>'.$row['surname'].'</td><td>'.$row['forename'].'</td><td>'.$row['username'].'</td><td>'.$row['joined'].'</td><td>'.$row['rank'].'</td><td><button type="button" class="btn btn-block btn-primary btn-xs" onClick="ChangePassOpen(\''.$row['username'].'\')">Change Password</button></td></tr>';
}
}
}
}
include "db/closelogindb.php";
echo $data;
?>
HTML/JavaScript的 http://thomas-smyth.co.uk/admin/accountlist.php
你是相当开放[SQL注入(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php).. – Naruto
请参阅SQL安全性文档。查询准备比这种非转义的查询更安全 – Bobot
叶,它在我的列表上。事实上,我会在解决这个问题后进行分类。虽然您有任何想法,考虑到即使在对SQL注入保护进行排序时仍然需要解决此问题。 –