1. 首页
  2. 问答
  3. 无法在PHP中搜索OR语句MySQL Query

无法在PHP中搜索OR语句MySQL Query

2017-06-22 30 views
1

目前正在构建CRUD系统以跟踪产品编号。在我为搜索设置的查询中,除了'p.name'之外,它似乎没有提取任何内容,但是不会提取任何其他内容,无论我是在WHERE语句中将它放在第一位还是第二位进行搜索功能。无法在PHP中搜索OR语句MySQL Query

但是,如果我改变第二个函数中的p.name为其他东西,它会选择它。

如果我添加“OR p.family LIKE?”该查询将不会执行。

这是用于产品搜索的代码。我添加了一条评论“// - 我可以在这里添加另一个LIKE吗?”

<?php 
class Product{ 

    // database connection and table name 
    private $conn; 
    private $table_name = "products"; 
    private $table2_name = "deleted_products"; 

    // object properties 
    public $id; 
    public $name; 
    public $family; 
    public $number; 
    public $description; 
    public $ext_description; 
    public $category_id; 
    public $timestamp; 
    public $timestamp2; 

    public function __construct($db){ 
     $this->conn = $db; 
    } 

     public function search($search_term, $from_record_num, $records_per_page){ 

     // select query 
     $query = "SELECT 
        c.name as category_name, p.id, p.name, p.family, p.description, p.ext_description, p.number, p.category_id, p.created 
       FROM 
        " . $this->table_name . " p 
        LEFT JOIN 
         categories c 
          ON p.category_id = c.id 
       WHERE 
        p.family LIKE ? OR p.description LIKE ? 
       ORDER BY 
        p.name ASC 
       LIMIT 
        ?, ?"; 

     // prepare query statement 
     $stmt = $this->conn->prepare($query); 

     // bind variable values 
     $search_term = "%{$search_term}%"; 
     $stmt->bindParam(1, $search_term); 
     $stmt->bindParam(2, $search_term); 
     $stmt->bindParam(3, $from_record_num, PDO::PARAM_INT); 
     $stmt->bindParam(4, $records_per_page, PDO::PARAM_INT); 

     // execute query 
     $stmt->execute(); 

     // return values from database 
     return $stmt; 
    } 

    public function countAll_BySearch($search_term){ 

     // select query 
     $query = "SELECT 
        COUNT(*) as total_rows 
       FROM 
        " . $this->table_name . " p 
        LEFT JOIN 
         categories c 
          ON p.category_id = c.id 
       WHERE 
        p.name LIKE ?"; // ---- Can I add another LIKE here? 

     // prepare query statement 
     $stmt = $this->conn->prepare($query); 

     // bind variable values 
     $search_term = "%{$search_term}%"; 
     $stmt->bindParam(1, $search_term); 

     $stmt->execute(); 
     $row = $stmt->fetch(PDO::FETCH_ASSOC); 

     return $row['total_rows']; 
    } 

}

下面是用于搜索

<?php 
// core.php holds pagination variables 
include_once 'config/core.php'; 

// include database and object files 
include_once 'config/database.php'; 
include_once 'objects/product.php'; 
include_once 'objects/category.php'; 

// instantiate database and product object 
$database = new Database(); 
$db = $database->getConnection(); 

$product = new Product($db); 
$category = new Category($db); 

// get search term 
$search_term=isset($_GET['s']) ? $_GET['s'] : ''; 

$page_title = "You searched for \"{$search_term}\""; 
include_once "header.php"; 

// query products 
$stmt = $product->search($search_term, $from_record_num, $records_per_page); 
//$stmt = $product->readAll($from_record_num, $records_per_page); 

// specify the page where paging is used 
$page_url="search.php?s={$search_term}&"; 

// count total rows - used for pagination 
$total_rows=$product->countAll_BySearch($search_term); 

// read_template.php controls how the product list will be rendered 
include_once "read_template.php"; 

// footer.php holds our javascript and closing html tags 
include_once "footer.php"; 
?>

页面如果有人可以帮助我走出这将是伟大的!谢谢。

来源

2017-06-22 DesignStuff

+0

谢谢你的提示!我如何绑定附加值?对不起,我有一段时间没有完成PHP MySQL。 – DesignStuff

+0

我试过了,得到这个:警告:PDOStatement :: execute():SQLSTATE [HY093]:无效的参数编号:绑定变量的数量与C:\ xampp \ htdocs \ phpoop \ objects \ product中的标记数量不匹配。 PHP的在线245 – DesignStuff

+0

公共职能countAll_BySearch($ SEARCH_TERM){ \t \t //选择查询 \t \t $查询=“选择 \t \t \t \t \t COUNT(*)作为TOTAL_ROWS \t \t \t \t FROM \t \t \t \t \t“。 $ this-> table_name。“P \t \t \t \t \t LEFT JOIN \t \t \t \t \t \t C类 \t \t \t \t \t \t \t ON p.category_id = c.id \t \t \t \t WHERE \t \t \t \t \t p.name像?或者p.descript离子喜欢?“; \t \t \t \t \t \t //准备查询语句 \t \t $语句= $这个 - > conn->制备($查询); \t \t $ search_term =“%{$ search_term}%”; \t \t $ stmt-> bindParam(2,$ search_term); \t \t $ stmt-> execute(); \t \t $ row = $ stmt-> fetch(PDO :: FETCH_ASSOC); \t \t return $ row ['total_rows']; \t} – DesignStuff

回答

0

你应该可以像你在第一个例子中那样做。您需要查询中每个值的占位符,然后您需要为每个占位符绑定一个。

$query = "SELECT 
      COUNT(*) as total_rows 
      FROM 
      " . $this->table_name . " p 
      LEFT JOIN 
      categories c 
      ON p.category_id = c.id 
      WHERE 
      p.name LIKE ? OR p.description LIKE ?";  

// prepare query statement 
$stmt = $this->conn->prepare($query); 
// bind variable values 
$search_term = "%{$search_term}%"; 
$stmt->bindParam(1, $search_term); 
$stmt->bindParam(2, $search_term);

bindParam函数的第一个参数是如何映射到在查询中的占位符,1意味着它会与第一个占位符。另一种语法是通过execute中的绑定。

$stmt = $this->conn->prepare($query); 
$search_term = "%{$search_term}%"; 
$stmt->execute(array($search_term, $search_term));

此外,直接在DOM中使用用户提供的数据可以打开XSS注入。您应该避免输入,以免恶意代码无法执行。

$search_term=isset($_GET['s']) ? htmlspecialchars($_GET['s'], ENT_QUOTES) : '';
  1. https://en.wikipedia.org/wiki/Cross-site_scripting
  2. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

来源

2017-06-23 13:58:39 chris85

+0

**这个完全工作的人!**所以,如果我想添加更多,我只是添加更多bindParam与执行数组中的另一个搜索词?我无法感谢你,这是我在本网站的第一次体验,我很感谢你的帮助。 – DesignStuff

+0

是的,对于每个'?'你都需要一个'bindparam'。如果这解决了您的问题,请接受答案。你可以在这里看到更多,https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work – chris85

+0

对不起,我不知道如何接受答案。只需点击复选框。再次感谢! – DesignStuff

相关问题

 相关问题