0

hi I am trying to create a store locator and part finder, ATM I have an sql query that uses LIKE to get all answer that have 1 in this is connected to the php input as well how would I change the LIKE'%%' clause from being specific to being whatever the user puts into the form but obtaining the same results as what the like gives me so if i type in 1 it shows all the parts with one if i type in 4 it does the same. my code is: 

<head>
        <?php
        $serverName = "127.0.0.0";
        $connectionInfo = array( "Database"=>"db", "UID"=>"id", "PWD"=>"pwd");
        $conn = sqlsrv_connect( $serverName, $connectionInfo );
        if( $conn === false ) 
        {
            die( print_r( sqlsrv_errors(), true));
        }
        $sql = "SELECT     dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
                           dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances
                FROM       dbo.Customer INNER JOIN
                           CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
                           dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN
                           Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company
                WHERE      Part.partnum LIKE '%%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150)
                ORDER BY   distances ";

        $stmt = sqlsrv_query( $conn, $sql );
        if( $stmt === false) 
        {
            die( print_r( sqlsrv_errors(), true) );
        }
        while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC) ) {
        echo $row['name']."<br/>".$row['address1']."<br/>".$row['state']."<br/>".$row['zip']."<br/>".$row['phonenum']."<br/>".$row['distances']."<br/>".$row['partnum']."<br/>"
        .$row['description']."<br/>";
        }
        sqlsrv_free_stmt( $stmt);
        ?>
</head>
    <body>
        part = <?php echo $_POST["part"];?>
    </body>
4

1 回答 1

0

首先,我建议您使用 PDO 而不是sqlsrv_*()函数。这是一个这样的例子:

$sql = "SELECT     dbo.Customer.name, dbo.Customer.address1, dbo.Customer.address2, dbo.Customer.address3, dbo.Customer.city, dbo.Customer.state, dbo.Customer.zip, 
                           dbo.Customer.faxnum, dbo.Customer.phonenum, dbo.Customer.emailaddress, Part.description, Part.partnum, ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925) ,2)AS distances
                FROM       dbo.Customer INNER JOIN
                           CustomerPartCrossRef ON dbo.Customer.company = CustomerPartCrossRef.company AND dbo.Customer.shiptonum = CustomerPartCrossRef.shiptonum AND 
                           dbo.Customer.custnum = CustomerPartCrossRef.custnum INNER JOIN
                           Part ON CustomerPartCrossRef.partnum = Part.partnum AND CustomerPartCrossRef.company = Part.company
                WHERE      Part.partnum LIKE '%?%' AND (ROUND(odbcadmin.fn_calDist(- 0.03715491813985, 0.9178158214586024, long * 0.0174532925, lat * 0.0174532925),2) <= 150)
                ORDER BY   distances ";
$dbh = new PDO('sqlsrv:Server=localhost;Database=testdb', DB_USER, DB_PASS);
$stmt = $dbh->prepare($sql);
$stmt->execute(array($_GET['users_input']));

execute()被调用时,?我添加到您的查询中将被数组中的值替换。有关详细信息,请参阅http://www.php.net/manual/en/pdo.prepared-statements.php

显然,您可能希望在将用户输入传递到execute().

于 2013-10-03T11:44:35.967 回答