1

我有一个带有分页的搜索/过滤表单,所以我必须使用 $_GET 来获取 url 中的参数。现在我想使用还准备好的语句更安全。

问题是,如果我留下一个空白字段,我会收到错误消息。有没有办法绕过这个问题?我搜索了这个 wbsite,发现了研讨会问题,但它们都是关于将空字段插入数据库的。

$input = $_GET['input'];

$categories = $_GET['category'];
$state = $_GET['state'];
$zipcode = $_GET['zipcode'];
$targetpage = "send.php";
$limit = 3;

//This query checks for data
  $qq = " SELECT * FROM classified where confirm='0' ";
    if (!empty($input)) {
        $qq .= "AND title LIKE :input ";
    }
    if (!empty($categories) ){
        $qq .= "AND id_cat = :categories ";
    }

    if (!empty($state) ) {
        $qq .= "AND id_state = :state ";
    }

            if (!empty($zipcode) ) {
        $qq .= "AND zipcode = :zipcode ";
    }


    $qq .= "ORDER BY date DESC ";
    $qq = $db->prepare($qq);
   $input = "%".$input."%";
    // Bind the parameter
$qq->execute(array(':input'=> $input,
 ':categories'=> $categories,
 ':state'=> $state,
 ':zipcode'=> $zipcode  ));

我得到的错误是

 PDOException: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined  
 in ....send.php on line 56

这是 ':zipcode'=> $zipcode ));

4

2 回答 2

2

构建查询时只需构建要绑定的数组

    $to_bind = array();
    if (!empty($input)) {
        $qq .= "AND title LIKE :input ";
        $to_bind[':input'] = $input;
    }
    if (!empty($categories) ){
        $qq .= "AND id_cat = :categories ";
        $to_bind[':categories'] = $categories ;
    }

    if (!empty($state) ) {
        $qq .= "AND id_state = :state ";
        $to_bind[':state'] = $state ;
    }

   if (!empty($zipcode) ) {
        $qq .= "AND zipcode = :zipcode ";
        $to_bind[':zipcode'] = $zipcode ;
   }
   ...
   $qq->execute($to_bind);

我不确定传递一个空数组是否会导致问题,以防所有参数都为空。

于 2013-01-04T03:41:14.937 回答
-1

尽量不要重复自己。想象一下,如果您在搜索过滤器中有 50 个字段。

  $input = $_GET['input'];
  $categories = $_GET['category'];
  $state = $_GET['state'];
  $zipcode = $_GET['zipcode'];
  $targetpage = "send.php";
  $limit = 3;
  $Param = array();
 //This query checks for data
 $qq = " SELECT * FROM classified where confirm='0' ";
 if (!empty($input)) {
    $qq .= "AND title LIKE :input ";
    $Param[':input'] = $input;
}
if (!empty($categories) ){
    $qq .= "AND id_cat = :categories ";
    $Param[':categories'] = $categories ;
}

if (!empty($state) ) {
    $qq .= "AND id_state = :state ";
    $Param[':state'] = $state ;
}

        if (!empty($zipcode) ) {
    $qq .= "AND zipcode = :zipcode ";
    $Param[':zipcode'] = $zipcode ;
}


$qq .= "ORDER BY date DESC ";
$qq = $db->prepare($qq);
$qq->execute($Param);

我希望这个能帮上忙

于 2013-01-04T03:41:25.163 回答