0

表(书)==>(keyid,名称)

<form action="se.php">
    <select>
    <option value="1">book1</option>
    <option value="2">book2</option>
    <option value="3">book3</option>
    <option value="????">All Book</option>
    </select>
<input type="submit" name="search" value="search">
</form>

//se.php 
    $keyid=$_GET[keyid];
    $sql=mysql_query("SELECT `name` FROM `book` WHERE `keyid`='$keyid'");
//end page

我为sql查询搜索所有内容的最后一个选项值(??????)

4

3 回答 3

2

全部

然后:

$where = '';

if $keyid != all then {
  $where = WHERE `keyid`= $keyid // escape value protect from sql injection!
}

mysql_query("SELECT `name` FROM `book` $where");
于 2012-12-04T13:00:51.260 回答
1

这应该这样做:

$keyid=mysql_real_escape_string($_GET[keyid]);
if(trim($keyid)!="")
    $where = " `keyid`='$keyid' ";
else
    $where = " 1 ";
$sql=mysql_query("SELECT `name` FROM `book` WHERE $where ");
于 2012-12-04T13:00:38.577 回答
1

您的代码在防止 sql 注入方面非常薄弱。您应该逃避您的输入,并且永远不要相信您收到的值。在您的选项中考虑这个值:

<option value="';truncate table book;">All Book</option>

一个好的方法是@cojack 的答案

于 2012-12-04T13:05:53.423 回答