php - PHP 成员搜索的问题

Question

我对 PHP 还是很陌生，所以如果我忽略了一些简单的事情，请原谅我。我正在尝试构建一个成员搜索表单，允许人们通过输入一个或多个条件来查找成员：名字或用户名、城市、州、国家或电子邮件地址。如果输入单个字段，则该表单有效，或者仅当名称/用户名字段具有值时才输入多个字段。假设这是一个逻辑问题。提前致谢。

if (!isset($_POST['fname']))
{
//If not isset -> set with dummy value
$_POST['fname'] = "undefine";
} 
if (!isset($_POST['city']))
{
//If not isset -> set with dummy value
$_POST['city'] = "undefine";
} 
if (!isset($_POST['state']))
{
//If not isset -> set with dummy value
$_POST['state'] = "undefine";
} 
if (!isset($_POST['country']))
{
//If not isset -> set with dummy value
$_POST['country'] = "undefine";
} 
if (!isset($_POST['email']))
{
//If not isset -> set with dummy value
$_POST['email'] = "undefine";
} 

// DEFAULT QUERY STRING
$queryString = '';

if ($_POST['fname'] != '') {
  $fname = $_POST['fname'];
  $fname = stripslashes($fname); 
  $fname = strip_tags($fname);
  $fname = preg_replace('#[^A-Za-z 0-9]#i', '', $fname);
  $fname = mysql_real_escape_string($fname);
  $queryString = "(firstname LIKE '%$fname%' OR username LIKE '%$fname%')";
} else {
  $queryString = '';
} 

if ($_POST['city'] != '') {

    if (($_POST['fname'] != '') || ($_POST['state'] != '') || ($_POST['country'] != '') || ($_POST['email'] != '')){
        $city = $_POST['city'];
        $city = stripslashes($city); 
        $city = strip_tags($city);
        $city = preg_replace('#[^A-Za-z 0-9]#i', '', $city);
        $city = mysql_real_escape_string($city);
      $queryString .= " AND city='$city'";
    }  else {
  $city = $_POST['city'];
        $city = $_POST['city'];
        $city = stripslashes($city); 
        $city = strip_tags($city);
        $city = preg_replace('#[^A-Za-z 0-9]#i', '', $city);
        $city = mysql_real_escape_string($city);
  $queryString .= "city='$city'";
  } 
  } else {
  $queryString .= '';
}   

if ($_POST['state'] != '') {

    if (($_POST['fname']) || ($_POST['city']) || ($_POST['country']) || ($_POST['email'])){
      $state = $_POST['state'];
        $state = stripslashes($state); 
        $state = strip_tags($state);
        $state = preg_replace('#[^A-Za-z 0-9]#i', '', $state);
        $state = mysql_real_escape_string($state);
      $queryString .= " AND state='$state'";
    }  else {
  $state = $_POST['state'];
        $state = stripslashes($state); 
        $state = strip_tags($state);
        $state = preg_replace('#[^A-Za-z 0-9]#i', '', $state);
        $state = mysql_real_escape_string($state);
  $queryString .= "state='$state'";
  } 
  } else {
  $queryString .= '';
}   

if ($_POST['country'] != '') {

    if (($_POST['fname']) || ($_POST['city']) || ($_POST['state']) || ($_POST['email'])) {
  $country = $_POST['country'];
  $queryString .= " AND country='$country'";
  }
  else {
  $country = $_POST['country'];
  $queryString .= "country='$country'";
  }
} else {
  $queryString .= '';
}   

if ($_POST['email'] != '') {

    if (($_POST['fname']) || ($_POST['city']) || ($_POST['state']) || ($_POST['country'])){
      $email = $_POST['email'];
                $email = stripslashes($email); 
        $email = strip_tags($email);
        $email = preg_replace('#[^A-Za-z 0-9,.@-]#i', '', $email);
        $email = mysql_real_escape_string($email);
      $queryString .= " AND email='$email'";
    }  else {
  $email = $_POST['email'];
  $queryString .= "email='$email'";
  } 
  } else {
  $queryString .= '';
}   

//////////////  QUERY THE MEMBER DATA USING THE $queryString variable's value
$sql = mysql_query("SELECT id, username, firstname, city, state, country FROM members WHERE $queryString AND emailactivated='1' ORDER BY id ASC");

score 1 · Accepted Answer

绝对是构建查询字符串的非常可怕的方法。我会说废弃它并重新开始，但由于你是新人，我们只会使用你所拥有的。

第一步是停止假设您的 SQL 正在运行。您的查询调用没有任何错误检查，因此您以有用的反馈方式获得零。因此，将查询调用更改为：

$sql = mysql_query(...query...) or die(mysql_error()); 
                               ^^^^^^^^^^^^^^^^^^^^^^---add this

现在，您将获得实际 mysql 错误消息的一个很好的转储，以及一个查询片段，以解释查询的错误位置/方式。最有可能的是，鉴于您在其中添加的所有这些字段，您忘记了空格或其他内容，并使查询看起来像（注意andp=qand z=y之间缺少空格）。qand

收到这些错误消息后，您将更容易找出语法错误的位置以及修复它所需的内容。

score 0 · Accepted Answer

我看到的几个问题：

在您的isset测试中，您将未定义的变量设置为'undefine'，但是当您创建查询时，您将测试''. 这意味着如果名称为空，您将一直在寻找名为的人undefine。
您不应该尝试$_POST使用您的代码修改变量。您需要加载$_POST到另一个变量并在代码中使用它。

score 0 · Accepted Answer

// 像这样获取所有发布的数据

if(isset($_POST['fname']))
{
   $fname=$_POST['fname'];
}

//获取所有字段值

if(empty($fname))
{
}
else
{
     $where . ="fname=$fname and ";
}  
//Check and build where for each field 

//  then remove the last and 

$where  = rtrim($where, ' AND ');

if (empty($where)) {
         $where_str = NULL;
      } else {
         $where_str = "WHERE $where";
      } 

$query ="select fieldNames from tableName ";

$query . =$where_str;

php - PHP 成员搜索的问题

3 回答 3

Related

Reference