PHP/MySQL 搜索不起作用

【问题标题】:PHP/MySQL search not workingPHP/MySQL 搜索不起作用
【发布时间】:2013-03-27 18:40:44
【问题描述】:

我的 PHP/MySQL 搜索有些困难。一年前它工作得很好,但由于某种原因它刚刚停止工作。我已经尝试过搜索,但无法弄清楚。我让它回显我的查询,但它从未添加到 WHERE 子句中。非常感谢任何帮助。

表格代码:

<form name="search" method="post">
    <p><b>Name of Property:</b> <input type="text" id="NameSrch" name="NameSrch" /> (optional)</p>
    <p><b>City Your Looking to Stay In:</b> <input type="text" id="CitySrch" name="CitySrch" /> (optional)</p>
    <p><b>Listing ID Number:</b> <input type="text" id="RentalIDSrch" name="RentalIDSrch" /> (optional)</p>
    <p><b>Number of Bedrooms:</b> <input type="text" id="BedroomSrch" name="BedroomSrch" /> (optional)</p>
    <p><b>Number of Bathrooms:</b> <input type="text" id="BathroomSrch" name="BathroomSrch" /> (optional)</p>
    <p><b>Maximum Occupancy:</b> <input type="text" id="SleepsSrch" name="SleepsSrch" /> (optional)</p>
    <input type="hidden" name="method" value="exSearch">
    <p><input type="submit" value="Search" /></p>
</form>

PHP 代码:

<? 
                        $method = $_POST['method'];

                        if($method == 'exSearch') {

                            // Start Results Display 


                            $con = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql: ' . mysql_error());
                            mysql_select_db($dbname);

                            $query_string = 'SELECT * FROM TABLE ';

                            $location_result_string = "";
                            $location_count = 0;


                                if ($NameSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propName) LIKE ("%$NameSrch%") ';
                                }

                                if ($CitySrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propCity) LIKE ("%$CitySrch%") ';
                                }

                                if ($RentalIDSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propID) LIKE ("%$RentalIDSrch%") ';
                                }

                                if ($BedroomSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propBedrooms) LIKE ("%$BedroomSrch%") ';
                                }

                                if ($BathroomSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propBaths) LIKE ("%$BathroomSrch%") ';
                                }

                                if ($SleepsSrch) {
                                    if ($location_count > 0) {
                                        $location_result_string = $location_result_string . " AND ";
                                    }
                                    $location_count = $location_count + 1;
                                    $location_result_string = $location_result_string . ' (propSleeps) LIKE ("%$SleepsSrch%") ';
                                }



                            if ($location_count > 0) {
                                $location_result_string = "WHERE (" . $location_result_string . ")";

                                $query_string = $query_string . $location_result_string;    
                            }

                            $re = mysql_query($query_string, $con) or die (mysql_error());

                            $number_of_rows = mysql_num_rows($re);




                            // Loop through each item in the result set                 
                            for ($h = 0; $h < $number_of_rows; $h++)
                            {

                            $propID = mysql_result($re, $h, 'propID');
                            $propAvail = mysql_result($re, $h, 'propAvail');
                            $propPets = mysql_result($re, $h, 'propPets');
                            $propName = mysql_result($re, $h, 'propName');
                            $propPropertyType = mysql_result($re, $h, 'propPropertyType');
                            $propPriceRange = mysql_result($re, $h, 'propPriceRange');
                            $propBedrooms = mysql_result($re, $h, 'propBedrooms');
                            $propBaths = mysql_result($re, $h, 'propBaths');
                            $propPropertyType = mysql_result($re, $h, 'propPropertyType');
                            $propSleeps = mysql_result($re, $h, 'propSleeps');
                            $propPic1 = mysql_result($re, $h, 'propPic1');
                            $propPicDesc1 = mysql_result($re, $h, 'propPicDesc1');

                            $nameLen = strlen($propName);
                            $petsLen = strlen($propPets);
                            $pets = $propPets;


                                                           //Results go here

                            }
                            echo $query_string;
                            }


                            // End Results Display

                            ?>

【问题讨论】:

  • $NameSrch, $CitySrch等变量是怎么设置的?它们是完全设置还是您希望它们通过 POST 设置?因为那行不通。您可以通过 $_POST['fieldName'] 访问发布的内容。此外,访问字符串中的变量,例如:'blablabla'.$sName.'额外的';或者如果你使用双引号,你可以像 "blablabla {$sName} extra" 那样做。
  • 这可能是问题所在。如果您有设置REGISTER_GLOBALS=ON,则此代码可以使用,但使用REGISTER_GLOBALS=OFF(应该如此),您必须通过$_POST访问变量
  • 如果像$NameSrch这样的变量直接取自用户输入,那么你的脚本很可能容易受到SQL注入的攻击。

标签: php mysql search field


【解决方案1】:

如果我对直接从表单中提取的变量的假设是正确的,那么您必须注册全局变量,这是不建议的,因为它会带来很大的安全风险。相反,我以正确的方式调整了您的 PHP 代码,还修复了查询字符串中包含的变量。

<?php
$method = $_POST['method'];
if($method == 'exSearch') {
    // Start Results Display 
    $con = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql: ' . mysql_error());
    mysql_select_db($dbname);
    $query_string = 'SELECT * FROM TABLE ';
    $location_result_string = "";
    $location_count = 0;
    if ($_POST['NameSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propName) LIKE ("%'.$_POST['NameSrch'].'%") ';
    }
    if ($_POST['CitySrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propCity) LIKE ("%'.$_POST['CitySrch'].'%") ';
    }
    if ($_POST['RentalIDSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propID) LIKE ("%'.$_POST['RentalIDSrch'].'%") ';
    }
    if ($_POST['BedroomSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propBedrooms) LIKE ("%'.$_POST['BedroomSrch'].'%") ';
    }
    if ($_POST['BathroomSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propBaths) LIKE ("%'.$_POST['BathroomSrch'].'%") ';
    }
    if ($_POST['SleepsSrch']) {
        if ($location_count > 0) {
            $location_result_string = $location_result_string . " AND ";
        }
        $location_count = $location_count + 1;
        $location_result_string = $location_result_string . ' (propSleeps) LIKE ("%'.$_POST['SleepsSrch'].'%") ';
    }
    if ($location_count > 0) {
        $location_result_string = "WHERE (" . $location_result_string . ")";
        $query_string = $query_string . $location_result_string;    
    }
    $re = mysql_query($query_string, $con) or die (mysql_error());
    $number_of_rows = mysql_num_rows($re);
    // Loop through each item in the result set                 
    for ($h = 0; $h < $number_of_rows; $h++)
    {
        $propID = mysql_result($re, $h, 'propID');
        $propAvail = mysql_result($re, $h, 'propAvail');
        $propPets = mysql_result($re, $h, 'propPets');
        $propName = mysql_result($re, $h, 'propName');
        $propPropertyType = mysql_result($re, $h, 'propPropertyType');
        $propPriceRange = mysql_result($re, $h, 'propPriceRange');
        $propBedrooms = mysql_result($re, $h, 'propBedrooms');
        $propBaths = mysql_result($re, $h, 'propBaths');
        $propPropertyType = mysql_result($re, $h, 'propPropertyType');
        $propSleeps = mysql_result($re, $h, 'propSleeps');
        $propPic1 = mysql_result($re, $h, 'propPic1');
        $propPicDesc1 = mysql_result($re, $h, 'propPicDesc1');
        $nameLen = strlen($propName);
        $petsLen = strlen($propPets);
        $pets = $propPets;
        // Results go here
    }
    echo $query_string;
}
// End Results Display

?>

我还建议验证您的输入并检查您是否获得了所需的数据类型,例如如果您需要数字,请验证它是否为数字,这样您就不太容易受到 SQL 注入的影响。还可以使用 mysql_real_escape_string(http://php.net/manual/en/function.mysql-real-escape-string.php) 来清理数据。

如果您希望您的脚本在未来也能正常工作,我建议您学习一两节 PDO,因为在不久的将来,PHP 将摆脱 MySQL 库。

【讨论】:

    【解决方案2】:

    您正在使用变量$NameSrch$CitySrch 等,但没有定义它们。由于它们与表单输入的名称匹配,我假设您最初打开了 register_globals,现在它已关闭(或者如果您使用的是 PHP 5.4.0,则已删除)。

    您需要将它们更改为$_POST['NameSrch']$_POST['CitySrch']等。

    【讨论】:

      猜你喜欢
      • 2015-07-09
      • 1970-01-01
      • 2013-07-20
      • 2012-07-02
      • 1970-01-01
      • 1970-01-01
      • 2013-09-04
      • 1970-01-01
      • 2011-10-04
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode