7

嗨,我正在尝试为网站进行搜索。它有 2 个用于获取信息的输入,一个是下拉菜单。

<div id="search">
<form action="projectsearchall.php" method="post" enctype="multipart/form-data">
<h3>Search for an Item</h3>

<p>Keywords</p><p><input name="keywords" type="text" value="keywords"></p>


<p>Select A Location</p><p>

<select name="location" id="jumpMenu">
 <option>Any Location</option>
 <option>Antrim</option>
 <option>Armagh</option>
 <option>Carlow</option>
 <option>Cavan</option>


</select>
</p>
<p>


</form>
</div>

我似乎无法弄清楚如何组合这两个输入来给出结果,我可以单独做,但不能一起工作以获得更准确的结果。

php

$keywords = $_POST['keywords'];
$keylocation =$_POST['location'];
$username = $_SESSION['username'];

   //MySQL Database Connect
 include 'connect.php';
 //make sql query

$result = mysqli_query($con,"SELECT * FROM projectitem where description  like '%$keywords%'  or item like '%$keywords%' or location like '%$keywords%'");

提前致谢!

4

3 回答 3

4

我认为您可以在运行查询之前进行一些预处理。

首先,您需要为您的选择选项提供某种值以进行检查。

我不知道你确切的数据库结构,但假设你正在使用选择文本,你可能想试试这个:

$query = "SELECT * FROM projectitem WHERE (description LIKE '%$keywords%' OR item LIKE '%$keywords%')";

这是您的基本查询,现在运行它会检查关键字,但不会检查位置。

if($keylocation != "Any location") $query .= " AND location = '$keylocation'";

最后一行会将位置作为附加过滤器添加到您的查询中。运行它,看看它做了什么。(虽然我不确定那里的字符串比较)

啊,是的,作为最后的建议:确保通过转义函数运行您的输入mysqli_escape_string。否则,您将向 SQL 注入敞开心扉。

于 2013-05-07T16:27:19.907 回答
3

您实际上并没有使用$keylocation;的值 要缩小搜索范围,您需要一个AND而不是OR

$stmt = mysqli_prepare($con, 'SELECT * FROM projectitem 
    where (description LIKE ? OR item LIKE ?) AND location LIKE ?');

mysqli_stmt_bind_param($stmt, 'sss', "%$keywords%", "%$keywords%", "%$keylocation%");

mysqli_stmt_execute($stmt);

// etc.

更新

由于下拉菜单可能有“任何位置”,您需要动态更改您的查询:

$sql = 'SELECT * FROM projectitem WHERE 1'; // base query

$types = ''; $vars = array();

if (!empty($keywords)) {
    $sql .= ' AND (description LIKE ? OR item LIKE ?)';
    $types .= 'ss';
    $vars[] = "%$keywords%";
    $vars[] = "%$keywords%";
}

if ($keylocation != 'Any Location') {
    $sql .= ' AND location LIKE ?';
    $types .= 's';
    $vars[] = $keylocation;
}

$stmt = mysqli_prepare($con, $sql);
if ($types) {
    mysqli_stmt_bind_param($stmt, $types, $vars);
}
mysqli_stmt_execute($stmt);
于 2013-05-07T16:25:38.133 回答
0

首先你有sql注入

利用mysqli_real_escape_string

如果关键字例如为空,您的查询将是这样的

$result = mysqli_query($con,"SELECT * FROM projectitem where description  like '%%'  or item like '%%' or location like '%$keylocation%'");

description like '%%'返回所有行!

你必须先检查数据

$query = "SELECT * FROM projectitem where 1=1 "
if($keywords)
  $query .= " AND ( description  like '%$keywords%' AND item like '%$keywords%' )";
if($keylocation)
  $query .= " AND location  like '%$keylocation%'";
于 2013-05-07T16:31:00.717 回答