0

好的,我花了很长时间尝试在 TSQL 查询字符串中添加 if 语句。任何帮助,将不胜感激。这是带有语法错误的字符串。

$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' + tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$_SESSION['center']}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)".if !empty($_GET['search']) echo ('AND tblCasesLawyers.PLAINTIFFLASTNAME='.{$_GET['search']}).")
";

谢谢大家的加入。我在这方面相对较新,但尝试使用以下方法防止注入:

    function ms_escape_string($data) {
    if ( !isset($data) or empty($data) ) return '';
    if ( is_numeric($data) ) return $data;

    $non_displayables = array(
        '/%0[0-8bcef]/',            // url encoded 00-08, 11, 12, 14, 15
        '/%1[0-9a-f]/',             // url encoded 16-31
        '/[\x00-\x08]/',            // 00-08
        '/\x0b/',                   // 11
        '/\x0c/',                   // 12
        '/[\x0e-\x1f]/'             // 14-31


    );
    foreach ( $non_displayables as $regex )
    $data = preg_replace( $regex, '', $data );
    $data = str_replace("'", "''", $data );
    return $data;
    }

    function sanitize($data){
    $data=trim($data);
    $data=htmlspecialchars($data);
    $data=ms_real_escape_string($data);
    return $data;
    }

    $search = sanitize($_GET['search']);
4

5 回答 5

2

那么内联条件呢?

<?php

$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' + tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$_SESSION['center']}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)"
.( (!empty($_GET['search'])) ? ' AND tblCasesLawyers.PLAINTIFFLASTNAME='.$_GET['search'] : '').")";

?>
于 2012-06-11T19:55:22.563 回答
2

我不认为连接这样的if语句在语法上是合法的。它不会评估操作员无法理解的任何内容。使用三元或将您的陈述分成三部分(在cleanse基于此答案编写方法之后:

$cleanCenterID = cleanse($_SESSION['center']);
$clentSearch = cleanse($_GET['search']);


$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' +tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$cleanCenterID}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)";

if(!empty($cleanSearch)) {
    $sql .= 'AND tblCasesLawyers.PLAINTIFFLASTNAME='.{$cleanSearch});
}

$sql .= ")";
于 2012-06-11T19:56:21.430 回答
1

如果在这里,我认为您需要一行:

 "AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)".
((!empty($_GET['search']) ? 'AND tblCasesLawyers.PLAINTIFFLASTNAME=' . $_GET['search'] : '' ). 
")

如某些评论中所述,以这种方式连接查询可能导致SQL 注入,为避免 SQL 注入,您可以使用准备好的语句和参数化查询,请参阅此问题以了解避免 SQL 注入的最佳方法;-)。

谢谢

一起去了

$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' + tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$_SESSION['center']}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)".( (!empty($search)) ? " AND tblCasesLawyers.PLAINTIFFLASTNAME='". $search . "'" : '').")";
于 2012-06-11T19:55:20.910 回答
1

您可以使用内联“if”将条件语句插入字符串,即

$sql = 'Your sql '.(!empty($_GET['search']) ? 'some sql' : 'some other sql').' the rest of your sql';
于 2012-06-11T19:54:21.580 回答
0

如果您替换代码,它会起作用吗:

.if !empty($_GET['search']) echo ('AND tblCasesLawyers.PLAINTIFFLASTNAME='.{$_GET['search']}).")

有了这个:

'AND (  tblCasesLawyers.PLAINTIFFLASTNAME='.{$_GET['search']}.' OR len('.{$_GET['search']}.') = 0 OR '.{$_GET['search']}.' is null)'
于 2012-06-11T19:53:14.897 回答