通配符输入导致其他搜索输入以多输入搜索形式检索所有数据
Wildcard input causes other search inputs to retrieve all data in multiple input search form
我有一个多字段 php 搜索表单。当将通配符添加到其中一个搜索字段时,它会导致其他字段检索数据库中的所有数据。如果没有通配符,country 只会找到国家,cityname 只会找到城市:
$sql = " SELECT * FROM `epic_schools_tbl` WHERE ";
if (!empty($_POST['submit'])) {
if (isset($_POST['country'])) {
$country = $_POST['country'];
$sql .= " `country` = :country ";
}
if (isset($_POST['cityname'])) {
$cityname = $_POST['cityname'];
$sql .= " OR `city` = :cityname ";
}
$stmt = $pdo->prepare($sql);
$stmt->execute(array($country,$cityname));
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo "<p>" . $row['country'] . "</p><p>" . $row['city'] . "</p>" . PHP_EOL;
}
}
添加通配符(schoolname)时:
$sql = " SELECT * FROM `epic_schools_tbl` WHERE ";
if (!empty($_POST['submit'])) {
if (isset($_POST['country'])) {
$country = $_POST['country'];
$sql .= " `country` = :country ";
}
if (isset($_POST['schoolname'])) {
$schoolname = $_POST['schoolname'];
$sql .= " OR `school_name` LIKE :schoolname ";
}
if (isset($_POST['cityname'])) {
$cityname = $_POST['cityname'];
$sql .= " OR `city` = :cityname ";
}
$stmt = $pdo->prepare($sql);
$stmt->execute(array($country,"%$schoolname%",$cityname));
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo "<p>" . $row['country'] . "</p><p>" . $row['school_name'] . "</p><p>" . $row['city'] . "</p>" . PHP_EOL;
}
}
它会导致 country 和/或 cityname 检索数据库中的所有数据。是否可以编写 SELECT 语句来接受一个带有通配符的输入,而其他输入则不是?
问题的部分解决方案包括在 select 语句中放置一个 IF 函数。此外,将 OR 替换为 AND 有助于消除城市字段或学校名称字段,如果留空则不会返回整个数据库。
$sql = "select * from epic_schools_tbl where country = if(length(:countryname)=0, country, :countryname2) and city = if(length(:cityname)=0, city, :cityname2) and (school_name like concat('%', if(length(:schoolname)=0, school_name, :schoolname2) , '%') or alternate_names like concat('%', if(length(:alternatenames)=0, alternate_names, :alternatenames2) , '%') and aka_names like concat('%', if(length(:akanames)=0, aka_names, :akanames2) , '%'))";
$stmt = $pdo->prepare($sql);
$countryname = $_POST['country'];
$cityname = $_POST['cityname'];
$schoolname = $_POST['schoolname'];
$alternatenames = $_POST['schoolname'];
$akanames = $_POST['schoolname'];
//Bind the variables to the prepared statement. Maybe each bind variable must have unique name.
$stmt->bindParam(':countryname', $countryname);
$stmt->bindParam(':countryname2', $countryname);
$stmt->bindParam(':cityname', $cityname);
$stmt->bindParam(':cityname2', $cityname);
$stmt->bindParam(':schoolname', $schoolname);
$stmt->bindParam(':schoolname2', $schoolname);
$stmt->bindParam(':alternatenames', $alternatenames);
$stmt->bindParam(':alternatenames2', $alternatenames);
$stmt->bindParam(':akanames', $akanames);
$stmt->bindParam(':akanames2', $akanames);
//Nothing to pass in. Everything is already bound.
$stmt->execute();
我有一个多字段 php 搜索表单。当将通配符添加到其中一个搜索字段时,它会导致其他字段检索数据库中的所有数据。如果没有通配符,country 只会找到国家,cityname 只会找到城市:
$sql = " SELECT * FROM `epic_schools_tbl` WHERE ";
if (!empty($_POST['submit'])) {
if (isset($_POST['country'])) {
$country = $_POST['country'];
$sql .= " `country` = :country ";
}
if (isset($_POST['cityname'])) {
$cityname = $_POST['cityname'];
$sql .= " OR `city` = :cityname ";
}
$stmt = $pdo->prepare($sql);
$stmt->execute(array($country,$cityname));
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo "<p>" . $row['country'] . "</p><p>" . $row['city'] . "</p>" . PHP_EOL;
}
}
添加通配符(schoolname)时:
$sql = " SELECT * FROM `epic_schools_tbl` WHERE ";
if (!empty($_POST['submit'])) {
if (isset($_POST['country'])) {
$country = $_POST['country'];
$sql .= " `country` = :country ";
}
if (isset($_POST['schoolname'])) {
$schoolname = $_POST['schoolname'];
$sql .= " OR `school_name` LIKE :schoolname ";
}
if (isset($_POST['cityname'])) {
$cityname = $_POST['cityname'];
$sql .= " OR `city` = :cityname ";
}
$stmt = $pdo->prepare($sql);
$stmt->execute(array($country,"%$schoolname%",$cityname));
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo "<p>" . $row['country'] . "</p><p>" . $row['school_name'] . "</p><p>" . $row['city'] . "</p>" . PHP_EOL;
}
}
它会导致 country 和/或 cityname 检索数据库中的所有数据。是否可以编写 SELECT 语句来接受一个带有通配符的输入,而其他输入则不是?
问题的部分解决方案包括在 select 语句中放置一个 IF 函数。此外,将 OR 替换为 AND 有助于消除城市字段或学校名称字段,如果留空则不会返回整个数据库。
$sql = "select * from epic_schools_tbl where country = if(length(:countryname)=0, country, :countryname2) and city = if(length(:cityname)=0, city, :cityname2) and (school_name like concat('%', if(length(:schoolname)=0, school_name, :schoolname2) , '%') or alternate_names like concat('%', if(length(:alternatenames)=0, alternate_names, :alternatenames2) , '%') and aka_names like concat('%', if(length(:akanames)=0, aka_names, :akanames2) , '%'))";
$stmt = $pdo->prepare($sql);
$countryname = $_POST['country'];
$cityname = $_POST['cityname'];
$schoolname = $_POST['schoolname'];
$alternatenames = $_POST['schoolname'];
$akanames = $_POST['schoolname'];
//Bind the variables to the prepared statement. Maybe each bind variable must have unique name.
$stmt->bindParam(':countryname', $countryname);
$stmt->bindParam(':countryname2', $countryname);
$stmt->bindParam(':cityname', $cityname);
$stmt->bindParam(':cityname2', $cityname);
$stmt->bindParam(':schoolname', $schoolname);
$stmt->bindParam(':schoolname2', $schoolname);
$stmt->bindParam(':alternatenames', $alternatenames);
$stmt->bindParam(':alternatenames2', $alternatenames);
$stmt->bindParam(':akanames', $akanames);
$stmt->bindParam(':akanames2', $akanames);
//Nothing to pass in. Everything is already bound.
$stmt->execute();