1. 首页
  2. 问答
  3. 过滤如果只有一个过滤器选择

过滤如果只有一个过滤器选择

2013-05-08 54 views
0

我必须做出一个汽车网站,过滤取决于预设的mysql数据库上车。 如果所有被选中我已完成了过滤(如:本田,白,汽油,而不是特殊 - 它会显示,汽车),但如果我只是想看到所有的本田(例如)没有任何显示。过滤如果只有一个过滤器选择

这是我的代码:

if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) ||   isset($_GET['special'])){ 

if(isset($_GET['make'])){ 
$make = $_GET['make']; 
} 

if(isset($_GET['colour'])){ 
$colour = $_GET['colour']; 
} 

if(isset($_GET['fueltype'])){ 
$fueltype = $_GET['fueltype']; 
} 

if(isset($_GET['special'])){ 
$special = $_GET['special']; 
} 

$result = mysqli_query($con,"SELECT * FROM Cars WHERE MAKE ='$make' AND COLOUR = '$colour' AND FUELTYPE = '$fueltype' AND SPECIAL = '$special'"); 
} 



else{ 
$result = mysqli_query($con,"SELECT * FROM Cars"); 
}

else语句使所有的汽车出现,当你过滤前打开网页。

来源

2013-05-08 user2136106

+2

**注:**有[SQL注入(高可能性HTTP ://en.wikipedia.org/wiki/SQL_injection)攻击。 – BlitZ 2013-05-08 07:53:18

回答

0

转义可能意味着:mysql_escape_string,检查有效/允许值的列表,或想好后想要的任何东西。

$where = ""; 
$separator = " WHERE "; 

if(isset($_GET['make'])){ 
    $make = $_GET['make']; 
    !! escape here 
    $where .= $separator . " MAKE = '$make' "; 
    $separator = " AND "; 
} 

if(isset($_GET['colour'])){ 
    $colour = $_GET['colour']; 
    !! escape here 
    $where .= $separator . " COLOUR = '$colour' "; 
    $separator = " AND "; 
} 

... 

$result = mysqli_query($con,"SELECT * FROM Cars " . $where);

来源

2013-05-08 08:01:27 flaschenpost

0

这里是你可以怎么做。请为SQL注入攻击做些事情。这仅仅是一个例子。

$query = "SELECT * FROM Cars "; 
$where = array(); 

if(isset($_GET['make'])){ 
    $where['make'] = $_GET['make']; 
} 

if(isset($_GET['colour'])){ 
    $where['colour'] = $_GET['colour']; 
} 

if(isset($_GET['fueltype'])){ 
    $where['fueltype'] = $_GET['fueltype']; 
} 

if(isset($_GET['special'])){ 
    $where['special'] = $_GET['special']; 
} 

$string = ''; 
if(count($where)>0){ 
    $i=0; 
    foreach($where as $key => $value) 
    { 
     if($i==0){ 
      $string .= " WHERE $key = $value "; 
     }else{ 
      $string .= " AND $key = $value "; 
     } 
    $i++; 
    } 
} 
$query .= $string; 

mysqli_query($query);

来源

2013-05-08 08:03:48

+0

添加http://www.php.net/manual/en/mysqli.real-escape-string.php,这是最好的解决方案。 – Adder 2013-05-08 08:10:11

+0

什么是sql注入攻击?它只有一个大学项目,它不会在互联网上生活,我还必须做些什么,如果是的话,怎么样? – user2136106 2013-05-08 08:22:38

+0

@ user2136106看到[this](http://www.zdnet.com/sql-injection-attack-what-is-it-and-how-to-prevent-it-7000000881/)和[this](http: //www.acunetix.com/websitesecurity/sql-injection/)。虽然这可能是拼贴项目,但您应该学会防止sql注入。另外在拼贴项目中,应用安全性将成为您的加点。 – 2013-05-08 08:47:03

0 
if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) ||   isset($_GET['special'])){ 
$where="WHERE "; 
if(isset($_GET['make'])){ 
$make = $_GET['make']; 
$where .="MAKE ='$make' AND"; 
} 

if(isset($_GET['colour'])){ 
$colour = $_GET['colour']; 
$where .="COLOUR = '$colour' AND"; 
} 

if(isset($_GET['fueltype'])){ 
$fueltype = $_GET['fueltype']; 
$where .="FUELTYPE = '$fueltype' AND"; 
} 

if(isset($_GET['special'])){ 
$special = $_GET['special']; 
$where .="SPECIAL = '$special"; 
} 
$where=rtrim($where,'AND'); 

$result = mysqli_query($con,"SELECT * FROM Cars".$where); 
} 



else{ 
$result = mysqli_query($con,"SELECT * FROM Cars"); 
}

来源

2013-05-08 08:04:00 Amir

0

忽略了安全问题,你可以像这样的东西取代你的整个代码:

$query = "SELECT * FROM Cars WHERE 1 = 1"; 

if (isset($_GET['make'])) 
    $query .= ' AND MAKE = ' . (int) $_GET['make']; 

if (isset($_GET['colour'])) 
    $query .= ' AND COLOUR = ' . (int) $_GET['colour']; 

if (isset($_GET['fueltype'])) 
    $query .= ' AND FUELTYPE = ' . (int) $_GET['fueltype']; 

if (isset($_GET['special'])) 
    $query .= ' AND SPECIAL = ' . (int) $_GET['special']; 

$result = mysqli_query($con, $query);

来源

2013-05-08 08:07:07 medina

+0

为什么你的if语句没有{}?我如何在这里添加其他的东西呢?对不起,如果这是一个愚蠢的问题,这是我的全部新 – user2136106 2013-05-08 08:25:05

+0

如果'if'声明没有括号,下一条指令将只有在条件为真执行。您可以在该指令后面添加其他字符,括号内的规则与上述相同。无论如何,这是一个糟糕的做法,你应该总是使用括号 – 2013-05-08 09:01:58

相关问题

 相关问题