0

我正在使用这个 PHP 执行搜索,但它返回表中的所有内容,而不是与搜索相关的任何内容......我也收到“mysqli_real_escape_string”错误,但我不确定它是否相关。

<?php
$con=mysqli_connect("***","***","***","***");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Search results</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="stylesheet" type="text/css" href="style.css"/>
</head>
<body>
<?php
    $query = $_GET['query']; 
    // gets value sent over search form

    $min_length = 3;
    // you can set minimum length of the query if you want

    if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then

        $query = htmlspecialchars($query); 
        // changes characters used in html to their equivalents, for example: < to &gt;

        $query = mysqli_real_escape_string($query);
        // makes sure nobody uses SQL injection

        $raw_results = mysqli_query($con,"SELECT * FROM test_table
            WHERE ('email' LIKE '%".$query."%') OR ('pw' LIKE '%".$query."%')") or die(mysqli_error());

        if(mysqli_num_rows($raw_results) > 0){ // if one or more rows are returned do following

            echo "<table border='1'>
            <tr>
            <th>email</th>
            <th>pw</th>
            </tr>";

            while($results = mysqli_fetch_array($raw_results)){
            // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop

                echo "<tr><td>".$results['email']."</td><td>".$results['pw']."</td></tr>";
                //echo "<p><h3>".$results['email']."</h3>".$results['pw']."<br/>".$results['ID']."</p>";

            }

        }
        else{ // if there is no matching rows do following
            echo "No results";
        }

    }
    else{ // if query length is less than minimum
        echo "Minimum length is ".$min_length;
    }
?>
</body>
</html>
4

3 回答 3

0

您需要以不同的方式引用您的查询。尝试这个:

"SELECT * FROM test_table WHERE (`email` LIKE '%" . $query . "%') OR (`pw` LIKE '%" . $query . "%')"

您的 mysqli_real_escape_string 也需要 $con ,例如:

mysqli_real_escape_string($con, $query)
于 2013-05-28T04:12:34.663 回答
0

您的查询不正确。您应该使用反引号,而不是引号

$raw_results = mysqli_query($con,"SELECT * FROM test_table
        WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')") or
die(mysqli_error());

此外,mysqli_real_escape_string 要求第一个参数是 $con

$query = mysqli_real_escape_string($con, $query);
于 2013-05-28T04:10:04.977 回答
0 
WHERE ('email' LIKE '%".$query."%') OR ('pw' LIKE '%".$query."%')"

你在转义你的列名是错误的,它们应该用反引号转义,而不是单引号;

 'email'  -- the string "email".
 `email`  -- the column "email".

换句话说,它应该是;

WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')"

作为旁注,您最好使用参数化查询而不是使用mysqli_real_escape_string(). 这对安全性更好,它使查询可以缓存到数据库中。

如果您无论如何都要将它与过程类型调用一起使用(就像您所做的那样),您需要将连接作为第一个参数传递给它;

$query = mysqli_real_escape_string($con, $query);
于 2013-05-28T04:10:11.473 回答