0

我在下面有一个评估下拉菜单:

<select name="session" id="sessionsDrop">
<option value="All">All</option>
<option value="2">EOWOW</option>
<option value="34">EOWOW</option>
</select>  


 <select name="student" id="studentsDrop">
    <option value="All">All</option>
    <option value="23">Jay Hart</option>
    <option value="32">Bubba Wright</option>
    </select>

上面是一个简单的下拉菜单。我在下面运行查询以获取选定学生的详细信息以及选定的评估详细信息。现在选择的评估输出细节没有问题,但是 echo for selected student 选项不起作用,就像用户选择All选项一样,然后 echo "<p><strong>Students: </strong>All Students - Total:(" .$selstudentnum . ")</p>" . PHP_EOL;。但问题是,如果选择该选项,它不会显示此回显All。事实上,如果选择该选项,它根本不会显示回声All。我都试过了=====但看不到我做错了什么

$selectedsessionqry = "
SELECT
SessionName, SessionDate, SessionTime
FROM
Session
WHERE
(SessionId = ?)
";

global $mysqli;
$selectedsessionstmt=$mysqli->prepare($selectedsessionqry);
// You only need to call bind_param once
$selectedsessionstmt->bind_param("i",$_POST["session"]);
// get result and assign variables (prefix with db)
$selectedsessionstmt->execute(); 
$selectedsessionstmt->bind_result($selSessionName,$selSessionDate,$selSessionTime);

 while ($selectedsessionstmt->fetch()) {

     echo "<p><strong>Assessment: </strong>" . $selSessionName . " - " . date('d-m-Y',strtotime($selSessionDate)) . " - " . date('H:i',strtotime($selSessionTime)) . "</p>" . PHP_EOL;

 }


$selectedsessionstmt->close();   

    $selectedstudentqry = "
        SELECT
        StudentAlias, StudentForename, StudentSurname
        FROM
        Student
        WHERE
        (StudentId = ?)
        ";

        global $mysqli;
        $selectedstudentstmt=$mysqli->prepare($selectedstudentqry);
        // You only need to call bind_param once
        $selectedstudentstmt->bind_param("i",$_POST["student"]);
        // get result and assign variables (prefix with db)
        $selectedstudentstmt->execute(); 
        $selectedstudentstmt->bind_result($selStudentAlias,$selStudentForename,$selStudentSurname);
        $selectedstudentstmt->store_result();
        $selstudentnum = $selectedstudentstmt->num_rows();   

         while ($selectedstudentstmt->fetch()) {

        if($_POST["student"] === 'All') {
            echo "<p><strong>Students: </strong>All Students - Total:(" .$selstudentnum . ")</p>" . PHP_EOL;
        }else{
            echo "<p><strong>Students: </strong>" . $selStudentAlias . " - " . $selStudentForename . " " . $selStudentSurname . "</p>" . PHP_EOL;
        }
        }
4

1 回答 1

0

我认为你的条件在这里失败

 $selectedstudentstmt->bind_param("i",$_POST["student"]);

它期望整数值,但您正在发送字符串。

不要在查询中直接使用 $_POST,这会导致 sql 注入攻击。

在 sql 查询中使用之前清理用户输入。

更改:在查询之前添加以下条件。再次不要忘记消毒。

if ($_POST["student"] == 'ALL') {
   $where = WHERE (StudentId = ?) ";
} else {
  $where  = "";
}
$selectedstudentqry = " SELECT StudentAlias, StudentForename, StudentSurname FROM    Student  $where
于 2013-01-31T06:39:24.617 回答