-3

I have a form..want to display the data from mysql table..problem is that the SQL query statement is not displaying the data..any ideas? I think the error may be orruring due to the AND statement in the SQL query line?

  <form method="get" action="submit.php">

   Number of Bedrooms: <select name="bedrooms">
   <option selected value='#'>--Choose Number of Bedrooms--</option>
   <option value="2">2</option>
   <option value="3">3</option>
   <option value="4">4</option>
   <option value="5">5</option>
   </select>


   Number of Occupants:  <select name="sleeps_min">
   <option selected value='#'>--Choose Number of Bedrooms--</option>
   <option value="2">2</option>
   <option value="3">3</option>
   <option value="4">4</option>
   <option value="5">5</option>
   <option value="6">6</option>
   <option value="7">7</option>
   <option value="8">8</option>
   <option value="9">9</option>  
   <option value="10">10</option>
   </select>

   Availability:  <select name="availability">
   <option selected value='#'>--Select Availability Period--</option>
   <option value="All year round">All Year Round</option>
   <option value="New Year Availability Only">New Year</option>

   </select>
   <input type="submit" value="submit" />
    </form>

--

 require 'defaults.php';
 require 'database.php';

 /* get properties from database */

 $property = $_GET['bedrooms'] ;
 $sleeps_min = $_GET['sleeps_min'] ;
 $availability = $_GET['availability'] ;


  $query = "SELECT * FROM `properties` WHERE bedrooms = '{$bedrooms}' sleeps_min = '{$sleeps_min}' AND availability = '{$availability}'";
  $row=mysql_query($query);

  $result = do_query("SELECT * FROM `properties` WHERE bedrooms = '{$bedrooms}' sleeps_min = '{$sleeps_min}' AND availability = '{$availability}'", $db_connection);

 while ($row = mysql_fetch_assoc($result))
 {
$r[] = $row;
 }

 ?>
4

1 回答 1

2

AND在 where 子句中缺少逻辑运算符(例如 ):

$query = "SELECT * FROM `properties` WHERE bedrooms = '{$bedrooms}' sleeps_min =
                                                                   ^----here

并且您的查询容易受到 SQL 注入攻击。至少你应该通过mysql_real_escape_string传递你的 $_GET 变量

如果您的代码中甚至有简单的错误处理,您就会看到语法错误:

$result = mysql_query($query) or die(mysql_error());
                             ^^^^^^^^^^^^^^^^^^^^^^

永远不要假设查询成功。即使 SQL 语法本身是完美的(你的不是),也可能有其他原因导致查询失败而不检查失败。

于 2012-04-26T03:19:18.753 回答