0

我对 PHP / MySQL 还是很陌生 .. 所以请放轻松 :)

我想过滤变量为“!empty”的“SELECT”函数。否则 'SELECT * FROM' 数据库。

这是我的代码..

<form id="search" method="post" action="search.php">
<fieldset>
<input type='hidden' name='submitted' value='yes'/>
<label id="label" for="type">Type</label>
<select name="type" id="type" size="1">
<option value="" selected>Any</option>
<option value="house">House</option>
<option value="flat">Flat</option>
<option value="apartment">Apartment</option>
<option value="other">Other</option>
</select>
<label id='label' for='area'>Area</label>
<select name="area" id="area" size="1">
<option value="" selected>Any</option>
<option value="mtpleasant">Mount Pleasant</option>
<option value="townhill">Townhill</option>
<option value="mayhill">Mayhill</option>
<option value="town">Town Centre</option>
<option value="maritime">Maritime Quarter</option>
<option value="brynmill">Brynmill</option>
<option value="sketty">Sketty</option>
<option value="uplands">Uplands</option>
<option value="other">Other</option>
</select>
<label id="label" for="rent">Max. Rent PCM</label>
<input type="text" name="rent" id="rent" value="">
<label id="label" for="deposit">Max. Deposit</label>
<input type="text" name="deposit" id="deposit" value="">
<div id='submit_container' height="90px" width="400px">
<button type='submit' class='search_submit' alt="Search"/>&nbsp;</button>
<a href="#" onclick="show('search_advanced');">Advanced Search &#187;</a>
<div id="search_advanced">
<label id="label" for="tenancy">Tenancy Length</label>
<input type="checkbox" name="tenancy" value="1-5"><span>1 - 6 months</span><br />
<input type="checkbox" name="tenancy" value="6-12"><span>6 - 12 months</span><br />
<input type="checkbox" name="tenancy" value="12+"><span>12+ months</span><br />
<label id="label" for="bedrooms">Bedrooms</label>
<input type="checkbox" name="bedrooms" value="1-3"><span>1-3</span><br/>
<input type="checkbox" name="bedrooms" value="4-6"><span>4-6</span><br/>
<input type="checkbox" name="bedrooms" value="6+"><span>6+</span><br/>
<label id="label" for="bathrooms">Bathrooms</label>
<input type="checkbox" name="bathrooms" value="1"><span>1</span><br/>
<input type="checkbox" name="bathrooms" value="2+"><span>2+</span><br/>
<label id="label" for="communal">Communal</label>
<input type="checkbox" name="communal" value="1"><span>1</span><br/>
<input type="checkbox" name="communal" value="2+"><span>2+</span><br/>
<label id="label" for="parking">Parking</label>
<input type="checkbox" name="parking" value="Y"><span>Yes</span><br/>
<input type="checkbox" name="parking" value="N"><span>No</span><br/>
<label id="label" for="garden">Garden</label>
<input type="checkbox" name="garden" value="Y"><span>Yes</span><br/>
<input type="checkbox" name="garden" value="N"><span>No</span><br/>
<label id="label" for="broadband">Broadband</label>
<input type="checkbox" name="broadband" value="Y"><span>Yes</span><br/>
<input type="checkbox" name="broadband" value="N"><span>No</span><br/>
</div>
</fieldset>
</form>


<?php
$type = (isset($_POST['type']) && !empty($_POST['type']) ? mysql_real_escape_string($_POST['type']): false);
$area = (isset($_POST['type']) && !empty($_POST['area']) ? mysql_real_escape_string($_POST['area']): false);
$rent = (isset($_POST['type']) && !empty($_POST['rent']) ? mysql_real_escape_string($_POST['rent']): false);
$deposit = (isset($_POST['type']) && !empty($_POST['deposit']) ? mysql_real_escape_string($_POST['deposit']): false);
$tenancy = (isset($_POST['type']) && !empty($_POST['tenancy']) ? mysql_real_escape_string($_POST['tenancy']): false);
$bedrooms = (isset($_POST['type']) && !empty($_POST['bedrooms']) ? mysql_real_escape_string($_POST['bedrooms']): false);
$bathrooms = (isset($_POST['type']) && !empty($_POST['bathrooms']) ? mysql_real_escape_string($_POST['bathrooms']): false);
$communal = (isset($_POST['type']) && !empty($_POST['communal']) ? mysql_real_escape_string($_POST['communal']): false);
$parking = (isset($_POST['type']) && !empty($_POST['parking']) ? mysql_real_escape_string($_POST['parking']): false);
$garden = (isset($_POST['type']) && !empty($_POST['garden']) ? mysql_real_escape_string($_POST['garden']): false);
$broadband = (isset($_POST['type']) && !empty($_POST['broadband']) ? mysql_real_escape_string($_POST['broadband']): false);

$query = "SELECT * FROM 'properties' WHERE 1=1"; // no filtering

if ($type) { $query.=" AND 'type' = ".$type; } // type filter
if ($area) {$query.=" AND 'area' = ".$area;} // area filter
if ($rent) {$query.=" AND 'rent' < ".$rent;} // rent filter
if ($deposit) {$query.=" AND 'deposit' < ".$deposit;} // deposit filter
if ($tenancy) {$query.=" AND 'tenancy' = ".$tenancy;} // tenancy filter
if ($bedrooms) {$query.=" AND 'bedrooms' > ".$bedrooms;} // bedrooms filter
if ($bathrooms) {$query.=" AND 'bathrooms' > ".$bathrooms;} // bathrooms filter
if ($communal) {$query.=" AND 'communal' > ".$communal;} // communal filter
if ($parking) {$query.=" AND 'parking' = ".$parking);} // parking filter
if ($garden) {$query.=" AND 'garden' = ".$garden;} // garden filter
if ($broadband) {$query.=" AND 'broadband' = ".$broadband;} // broadband filter

$results = mysql_query($query); 

echo '<table border=0 cellpadding=3>';

while ($info = mysql_fetch_array($results)) {
    echo '<tr>';
    echo '<th>Type:</th><td>'.$info['type'] . '</td> ';
    echo '<th>Area:</th><td>'.$info['area'] . '</td> ';
    echo '</tr>';
}

echo '</table>';
?>

我很确定我很接近这个,不是吗?我收到以下错误。

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/a9137540/public_html/search.php on line 49

Line 49: while ($info = mysql_fetch_array($results)) {

请帮忙!提前致谢。

4

3 回答 3

0

什么是右括号在每种if情况下的目的

试试这个

$query = "SELECT * FROM 'properties' WHERE 1=1";
if (isset($type)) { $query.=" AND `type` = '".$type."' "; } // type filter
if (isset($area)) {$query.=" AND `area` = '".$area."' "; }  // area filter
if (isset($rent)) {$query.=" AND `rent` < '".$rent."' "; } // rent filter
if (isset($deposit)) {$query.=" AND `deposit` < '".$deposit."' "; } // deposit filter
if (isset($tenancy)) {$query.=" AND `tenancy` = '".$tenancy."' "; } // tenancy filter
if (isset($bedrooms)) {$query.=" AND `bedrooms` > '".$bedrooms."' "; } // bedrooms filter
if (isset($bathrooms)) {$query.=" AND `bathrooms` > '".$bathrooms."' "; } // bathrooms filter
if (isset($communal)) {$query.=" AND `communal` > '".$communal."' "; } // communal filter
if (isset($parking)) {$query.=" AND `parking` = '".$parking."' "; } // parking filter
if (isset($garden)) {$query.=" AND `garden` = '".$garden."' "; } // garden filter
if (isset($broadband)) {$query.=" AND `broadband` = '".$broadband."' "; } // broadband filter

并检查是否分配了任何变量,您必须使用isset

于 2013-05-30T09:36:29.497 回答
0

请试试这个

 isset($_POST['type'])

代替

!empty($_POST['type'])
于 2013-05-30T09:28:34.373 回答
-1

在您的条件下添加 isset() 函数:

(isset($_POST['type']) && !empty($_POST['type'])) ? mysql_real_escape_string($_POST['type']): false;

但是您的查询对 SQL 注入攻击是开放的。确保首先对 $_POST 项目进行消毒。

对于错误:您很可能有查询错误。而不是简单地做 $result=mysql_query($query); 并尝试使用 $result,确保查询成功执行。

if(!mysql_query($query)){
  echo mysql_errno();
  exit;
}

这至少可以帮助您识别错误。

附加信息。尝试改变

if ($area) {$query.=" AND 'area' = ".$area;}`

if ($area) {$query.="' AND 'area' = '".$area;} (我$query.="".$area.

SQL 需要用引号将值(数字除外)括起来。

于 2013-05-30T09:30:31.107 回答