0

我的 PHP/MySQL 搜索遇到了一些困难。一年前它工作得很好,但由于某种原因它刚刚停止工作。我已经尝试过搜索,但无法弄清楚。我让它回显我的查询,但它从未添加到 WHERE 子句中。任何帮助深表感谢。

表格代码:

<form name="search" method="post">
    <p><b>Name of Property:</b> <input type="text" id="NameSrch" name="NameSrch" /> (optional)</p>
    <p><b>City Your Looking to Stay In:</b> <input type="text" id="CitySrch" name="CitySrch" /> (optional)</p>
    <p><b>Listing ID Number:</b> <input type="text" id="RentalIDSrch" name="RentalIDSrch" /> (optional)</p>
    <p><b>Number of Bedrooms:</b> <input type="text" id="BedroomSrch" name="BedroomSrch" /> (optional)</p>
    <p><b>Number of Bathrooms:</b> <input type="text" id="BathroomSrch" name="BathroomSrch" /> (optional)</p>
    <p><b>Maximum Occupancy:</b> <input type="text" id="SleepsSrch" name="SleepsSrch" /> (optional)</p>
    <input type="hidden" name="method" value="exSearch">
    <p><input type="submit" value="Search" /></p>
</form>

PHP代码:

<? 
                        $method = $_POST['method'];

                        if($method == 'exSearch') {

                            // Start Results Display 


                            $con = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql: ' . mysql_error());
                            mysql_select_db($dbname);

                            $query_string = 'SELECT * FROM TABLE ';

                            $location_result_string = "";
                            $location_count = 0;


                                if ($NameSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propName) LIKE ("%$NameSrch%") ';
                                }

                                if ($CitySrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propCity) LIKE ("%$CitySrch%") ';
                                }

                                if ($RentalIDSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propID) LIKE ("%$RentalIDSrch%") ';
                                }

                                if ($BedroomSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propBedrooms) LIKE ("%$BedroomSrch%") ';
                                }

                                if ($BathroomSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propBaths) LIKE ("%$BathroomSrch%") ';
                                }

                                if ($SleepsSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propSleeps) LIKE ("%$SleepsSrch%") ';
                                }



                            if ($location_count > 0) {
                                $location_result_string = "WHERE (" . $location_result_string . ")";

                                $query_string = $query_string . $location_result_string;    
                            }

                            $re = mysql_query($query_string, $con) or die (mysql_error());

                            $number_of_rows = mysql_num_rows($re);




                            // Loop through each item in the result set                 
                            for ($h = 0; $h < $number_of_rows; $h++)
                            {

                            $propID = mysql_result($re, $h, 'propID');
                            $propAvail = mysql_result($re, $h, 'propAvail');
                            $propPets = mysql_result($re, $h, 'propPets');
                            $propName = mysql_result($re, $h, 'propName');
                            $propPropertyType = mysql_result($re, $h, 'propPropertyType');
                            $propPriceRange = mysql_result($re, $h, 'propPriceRange');
                            $propBedrooms = mysql_result($re, $h, 'propBedrooms');
                            $propBaths = mysql_result($re, $h, 'propBaths');
                            $propPropertyType = mysql_result($re, $h, 'propPropertyType');
                            $propSleeps = mysql_result($re, $h, 'propSleeps');
                            $propPic1 = mysql_result($re, $h, 'propPic1');
                            $propPicDesc1 = mysql_result($re, $h, 'propPicDesc1');

                            $nameLen = strlen($propName);
                            $petsLen = strlen($propPets);
                            $pets = $propPets;


                                                           //Results go here

                            }
                            echo $query_string;
                            }


                            // End Results Display

                            ?>
4

2 回答 2

1

如果我对直接从表单中提取的变量的假设是正确的,那么您必须注册全局变量,这是不建议的,因为它会带来很大的安全风险。相反,我以正确的方式调整了您的 PHP 代码,还修复了查询字符串中包含的变量。

<?php
$method = $_POST['method'];
if($method == 'exSearch') {
    // Start Results Display 
    $con = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql: ' . mysql_error());
    mysql_select_db($dbname);
    $query_string = 'SELECT * FROM TABLE ';
    $location_result_string = "";
    $location_count = 0;
    if ($_POST['NameSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propName) LIKE ("%'.$_POST['NameSrch'].'%") ';
    }
    if ($_POST['CitySrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propCity) LIKE ("%'.$_POST['CitySrch'].'%") ';
    }
    if ($_POST['RentalIDSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propID) LIKE ("%'.$_POST['RentalIDSrch'].'%") ';
    }
    if ($_POST['BedroomSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propBedrooms) LIKE ("%'.$_POST['BedroomSrch'].'%") ';
    }
    if ($_POST['BathroomSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propBaths) LIKE ("%'.$_POST['BathroomSrch'].'%") ';
    }
    if ($_POST['SleepsSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propSleeps) LIKE ("%'.$_POST['SleepsSrch'].'%") ';
    }
    if ($location_count > 0) {
        $location_result_string = "WHERE (" . $location_result_string . ")";
        $query_string = $query_string . $location_result_string;    
    }
    $re = mysql_query($query_string, $con) or die (mysql_error());
    $number_of_rows = mysql_num_rows($re);
    // Loop through each item in the result set                 
    for ($h = 0; $h < $number_of_rows; $h++)
    {
        $propID = mysql_result($re, $h, 'propID');
        $propAvail = mysql_result($re, $h, 'propAvail');
        $propPets = mysql_result($re, $h, 'propPets');
        $propName = mysql_result($re, $h, 'propName');
        $propPropertyType = mysql_result($re, $h, 'propPropertyType');
        $propPriceRange = mysql_result($re, $h, 'propPriceRange');
        $propBedrooms = mysql_result($re, $h, 'propBedrooms');
        $propBaths = mysql_result($re, $h, 'propBaths');
        $propPropertyType = mysql_result($re, $h, 'propPropertyType');
        $propSleeps = mysql_result($re, $h, 'propSleeps');
        $propPic1 = mysql_result($re, $h, 'propPic1');
        $propPicDesc1 = mysql_result($re, $h, 'propPicDesc1');
        $nameLen = strlen($propName);
        $petsLen = strlen($propPets);
        $pets = $propPets;
        // Results go here
    }
    echo $query_string;
}
// End Results Display

?>

我还建议验证您的输入并检查您是否获得了所需的数据类型,例如如果您想要数字,请验证它是一个数字,这样您就不太容易受到 SQL 注入的影响。还使用 mysql_real_escape_string( http://php.net/manual/en/function.mysql-real-escape-string.php ) 来清理数据。

如果您希望您的脚本在未来也能正常工作,我建议您学习一两节 PDO,因为在不久的将来,PHP 将摆脱 MySQL 库。

于 2013-03-27T18:55:34.903 回答
0

您正在使用 variables$NameSrch$CitySrch而不定义它们。由于它们与表单输入的名称匹配,我假设您最初已register_globals打开,现在已关闭(或者如果您使用的是 PHP 5.4.0,则已删除)。

您需要将它们更改为$_POST['NameSrch'],$_POST['CitySrch']等。

于 2013-03-27T18:56:26.143 回答