2

我已经制作了这个 php 代码来过滤来自 mysql 数据库的结果。它工作得很好,但我确信这不是实现预期结果的最有效方式(或正确使用语言)。我正在尽我最大的努力在编写代码方面变得“好”,并希望得到一些关于如何更好地做到这一点的反馈。

$filter = "";

if (isset($_POST['submit']))
{
$aircraft_reg = "";
$prefix = "";
$part_number = "";
$flight_control = "";

if(!empty($_POST['aircraft_reg']))
    {
    $aircraft_reg = "aircraft_reg = '" . $_POST['aircraft_reg'] . "'";
    }
if(!empty($_POST['prefix']))
    {
    $prefix = "prefix = '" . $_POST['prefix'] . "'";
    }
if(!empty($_POST['part_number']))
    {
    $part_number = "part_number = '" . $_POST['part_number'] . "'";
    }
if(!empty($_POST['flight_control']))
    {
    $flight_control = "flight_control = '" . $_POST['flight_control'] . "'";
    }   
if ($aircraft_reg != "" && ($prefix != "" || $part_number != "" || $flight_control != ""))
    {
    $a = " AND ";
    }
else
    {
    $a = "";
    }
if ($prefix != "" && ($part_number != "" || $flight_control != ""))
    {
    $b = " AND ";
    }
else
    {
    $b = "";
    }
if ($part_number != "" && $flight_control != "")
    {
    $c = " AND ";
    }
else
    {
    $c = "";
    }
if ($aircraft_reg != "" || $prefix != "" || $part_number != "" || $flight_control != "")
    {
    $filter = "WHERE " . $aircraft_reg . $a . $prefix . $b . $part_number . $c . $flight_control;
    }
}

    $result = mysql_query("SELECT * FROM installed $filter ORDER BY aircraft_reg , part_number, date_installed ASC");
4

5 回答 5

2

您只需要遵循以下模式:

$result = mysql_query("
        SELECT * 
        FROM installed 
        WHERE  
            ".($_POST['aircraft_reg']?"aircraft_reg=" .mysql_real_escape_string($_POST['aircraft_reg']):"1" )." AND     
            ...
        ORDER BY aircraft_reg , part_number, date_installed ASC");

另一种选择:

foreach($_POST as $key => $val)
    if($key!="submit" and $val)
        $filters[] = "$key='".mysql_real_escape_string($val)."' ";


$result = mysql_query("
    SELECT * 
    FROM installed 
    ".(isset($filters)?"WHERE ".implode("AND ",$filters):"")."      
    ORDER BY aircraft_reg , part_number, date_installed ASC");
于 2012-10-09T12:43:38.810 回答
0

我建议你使用一些成熟的东西,比如 ActiveRecord:

http://www.phpactiverecord.org/

无需重新发明轮子(除非这纯粹是为了学习,在这种情况下,继续!)

...如果这纯粹是为了学习,请不要忘记转义任何 REQUEST 数据,例如您正在使用的 $_POST,使用 mysql_real_escape_string 之类的东西

于 2012-10-09T12:28:49.600 回答
0

快的:

  1. 使用 array_key_exists 查看是否有东西$_POST
  2. 不要将$_POST值直接放在 SQL 中,将它们转义。更多信息当你谷歌搜索SQL injection attack

  3. 我会先验证/清理您的输入,然后一次性创建查询:

    if (array_key_exists("partnumber", $_POST) {
     $part_number = validate_partnumber($_POST['partnumber']);
     $part_number = escape_for_db($part_number);
}
$q = ".... WHERE part_number='$part_number' ....";

除此之外,它看起来并不太糟糕。

于 2012-10-09T12:29:48.067 回答
0

你可以试试这个,因为条件运算符的时间复杂度比if()-else(). 此外,更少使用变量将导致更少的内存分配,因此它比您使用的更快、更优化。另一件事,使用mysql_real_escape_string()防止 sql 注入。

$filter = "";
if (isset($_POST['submit']))
{
    $condition_count = 0;

    if(!empty($_POST['aircraft_reg']))
    {
        $filter = " WHERE aircraft_reg = '" . mysql_real_escape_string($_POST['aircraft_reg']) . "'";
        $condition_count++;
    }
    if(!empty($_POST['prefix']))
    {
        $condition_count > 0?$filter .= " AND prefix = '" . mysql_real_escape_string($_POST['prefix']) . "'":$filter .= " WHERE prefix = '" . mysql_real_escape_string($_POST['prefix']) . "'";
        $condition_count++;
    }
    if(!empty($_POST['part_number']))
    {
        $condition_count > 0?$filter .= " AND part_number = '" . mysql_real_escape_string($_POST['part_number']) . "'":$filter .= " WHERE part_number = '" . mysql_real_escape_string($_POST['part_number']) . "'";
        $condition_count++;
    }
    if(!empty($_POST['flight_control']))
    {
        $condition_count > 0?$filter .= " AND flight_control = '" . mysql_real_escape_string($_POST['flight_control']) . "'":$filter .= " WHERE flight_control = '" . mysql_real_escape_string($_POST['flight_control']) . "'";
        $condition_count++;
    }
}

$result = mysql_query("SELECT * FROM installed ".$filter." ORDER BY aircraft_reg , part_number, date_installed ASC");
于 2012-10-09T12:44:06.110 回答
0 
if (!isset($_POST['submit'])) exit;

$aircraft_reg = $_POST['aircraft_reg'];
$prefix = $_POST['prefix'];
$part_number = $_POST['part_number'];
$flight_control = $_POST['flight_control'];

$result = mysql_query("
    SELECT * 
    FROM installed 
    where 
        aircraft_reg = if('$aircraft_reg' = '', aircraft_reg, '$aircraft_reg')
        and
        prefix = if('$prefix' = '', prefix, '$prefix')
        and
        part_number = if('$part_number' = '', part_number, '$part_number')
        and
        flight_control = if('$flight_control' = '', flight_control, '$flight_control')
    ORDER BY aircraft_reg , part_number, date_installed
    ");

如果这是真的,那么不要忘记清理用户输入,否则您将成为一个简单的 sql 注入受害者。

于 2012-10-09T12:57:57.397 回答