使用 php 过滤 CRUD table
Filtering a CRUD table using php
首先-我是新手,所以请原谅我的知识不足。
我发现了一些我已经操纵的代码来完成我需要完成的大部分工作。有一小步让我望而却步。我希望这里有人能对此有所启发。
'Filter Button' 应该捕获输入的 catID #,它在 SELECT 语句的 WHERE 子句中使用。我尝试用“$catID”替换第 72 行的 13,但无济于事。
在 php 文件中为 'category_id' 数字输入特定值,然后保存文件并刷新浏览器时 - 它有效,但使用浏览器中的按钮 - 它不起作用't.
SELECT 语句是正确的...它在 phpMyAdmin 中有效。
如果有任何遗漏,请告诉我。
提前致谢,
戴夫
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Dashboard</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.js"></script>
<style type="text/css">
.wrapper{
width: 650px;
margin: 0 auto;
}
.page-header h2{
margin-top: 0;
}
table tr td:last-child a{
margin-right: 15px;
}
</style>
<script type="text/javascript">
$(document).ready(function(){
$('[data-toggle="tooltip"]').tooltip();
});
</script>
</head>
<body>
<div class="wrapper">
<div class="container-fluid">
<div class="row">
<div class="col-md-12">
<div class="page-header clearfix">
<h2 class="center">Tag H Details</h2>
<div>
<!--Filter Button -->
<d
<div class="col-md-3">
<p class="margin"></p>
<div class="input-group">
<div class="input-group-btn">
<form action="http://localhost/fp/rt/index.php" method="post">
<input type="text" name = "catID" placeholder="Category" class="form-control" >
<input type="submit" name = "catID" value= "Filter" class="btn btn-primary ">Filter</button></d>
</div>
</div>
</div>
</div>
</div>
<?php
// Include config file
require_once "config.php";
// Attempt select query execution
if(isset($_POST['catID']))
{
$catID = $_POST['catID'];
$sql = "SELECT
coh_items.id,
coh_items.tag_h_id,
coh_vendors.name,
coh_vendors.phone,
coh_vendors.c_code,
coh_items.purchase_price,
COUNT(tag_h_id) AS Reports
FROM
coh_items
INNER JOIN coh_vendors ON coh_items.tag_h_id = coh_vendors.id
WHERE
category_id = 13
GROUP BY
tag_h_id;";
$search_result = catID($sql);
}
else {
$sql = "SELECT * FROM `coh_items`";
$search_result = catID($sql);
}
function catID($sql){
$connect = mysqli_connect("localhost", "root", "", "green");
$filter_Result = mysqli_query($connect, $sql);
return $filter_Result;
};
if($result = mysqli_query($link, $sql)){
if(mysqli_num_rows($result) > 0){
echo "<table class='table table-bordered table-striped'>";
echo "<thead>";
echo "<tr>";
echo "<th>ID</th>";
echo "<th>Name</th>";
echo "<th>Phone</th>";
echo "<th>Status</th>";
echo "<th>Reports</th>";
echo "<th>Rate</th>";
echo "<th>Action</th>";
echo "</tr>";
echo "</thead>";
echo "<tbody>";
while($row = mysqli_fetch_array($result)){
echo "<tr>";
echo "<td>" . $row['tag_h_id'] . "</td>";
echo "<td>" . $row['name'] . "</td>";
echo "<td>" . $row['phone'] . "</td>";
echo "<td>" . $row['c_code'] . "</td>";
echo "<td>" . $row['Reports'] . "</td>";
echo "<td>" . $row['purchase_price'] . "</td>";
echo "<td>";
echo "<a href='read.php?id=". $row['id'] ."' title='View Record' data-toggle='tooltip'><span class='glyphicon glyphicon-eye-open'></span></a>";
echo "<a href='update.php?id=". $row['id'] ."' title='Update Record' data-toggle='tooltip'><span class='glyphicon glyphicon-pencil'></span></a>";
echo "<a href='delete.php?id=". $row['id'] ."' title='Delete Record' data-toggle='tooltip'><span class='glyphicon glyphicon-trash'></span></a>";
echo "</td>";
echo "</tr>";
}
echo "</tbody>";
echo "</table>";
// Free result set
mysqli_free_result($result);
} else{
echo "<p class='lead'><em>No records were found.</em></p>";
}
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// Close connection
mysqli_close($link);
?>
</div>
</div>
</div>
</div>
</body>
</html>
正如 Jon P 正确指出的那样,如果没有准备好的语句,您的代码很容易受到 SQL 注入攻击。所以你真的需要使用准备好的语句重新编码 SQL 。但是,如果您只是在家用计算机上工作并且不担心数据库的安全性,那么下面是一个快速修复方法。
$sql 变量只是一个字符串,您需要使用连接来构建它。如下:
$sql = "SELECT
coh_items.id,
coh_items.tag_h_id,
coh_vendors.name,
coh_vendors.phone,
coh_vendors.c_code,
coh_items.purchase_price,
COUNT(tag_h_id) AS Reports
FROM
coh_items
INNER JOIN coh_vendors ON coh_items.tag_h_id = coh_vendors.id
WHERE
category_id = ".$catID."
GROUP BY
tag_h_id;";
编辑:
好的,所以我找到了问题。您将文本输入和提交输入都命名为 catID,但是由于提交在后面,它的值(过滤器)会覆盖文本中的值并在 POST 方法中使用。只需更改提交的名称或删除名称即可解决问题。
<p class="margin"></p>
<div class="input-group-btn">
<form action="http://localhost/fp/rt/index.php" method="post">
<input type="text" name = "catID" placeholder="Category" class="form-control"/>
<input type="submit" value= "Filter" class="btn btn-primary "/>
</form>
</div>
首先-我是新手,所以请原谅我的知识不足。
我发现了一些我已经操纵的代码来完成我需要完成的大部分工作。有一小步让我望而却步。我希望这里有人能对此有所启发。
'Filter Button' 应该捕获输入的 catID #,它在 SELECT 语句的 WHERE 子句中使用。我尝试用“$catID”替换第 72 行的 13,但无济于事。
在 php 文件中为 'category_id' 数字输入特定值,然后保存文件并刷新浏览器时 - 它有效,但使用浏览器中的按钮 - 它不起作用't.
SELECT 语句是正确的...它在 phpMyAdmin 中有效。
如果有任何遗漏,请告诉我。
提前致谢,
戴夫
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Dashboard</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.js"></script>
<style type="text/css">
.wrapper{
width: 650px;
margin: 0 auto;
}
.page-header h2{
margin-top: 0;
}
table tr td:last-child a{
margin-right: 15px;
}
</style>
<script type="text/javascript">
$(document).ready(function(){
$('[data-toggle="tooltip"]').tooltip();
});
</script>
</head>
<body>
<div class="wrapper">
<div class="container-fluid">
<div class="row">
<div class="col-md-12">
<div class="page-header clearfix">
<h2 class="center">Tag H Details</h2>
<div>
<!--Filter Button -->
<d
<div class="col-md-3">
<p class="margin"></p>
<div class="input-group">
<div class="input-group-btn">
<form action="http://localhost/fp/rt/index.php" method="post">
<input type="text" name = "catID" placeholder="Category" class="form-control" >
<input type="submit" name = "catID" value= "Filter" class="btn btn-primary ">Filter</button></d>
</div>
</div>
</div>
</div>
</div>
<?php
// Include config file
require_once "config.php";
// Attempt select query execution
if(isset($_POST['catID']))
{
$catID = $_POST['catID'];
$sql = "SELECT
coh_items.id,
coh_items.tag_h_id,
coh_vendors.name,
coh_vendors.phone,
coh_vendors.c_code,
coh_items.purchase_price,
COUNT(tag_h_id) AS Reports
FROM
coh_items
INNER JOIN coh_vendors ON coh_items.tag_h_id = coh_vendors.id
WHERE
category_id = 13
GROUP BY
tag_h_id;";
$search_result = catID($sql);
}
else {
$sql = "SELECT * FROM `coh_items`";
$search_result = catID($sql);
}
function catID($sql){
$connect = mysqli_connect("localhost", "root", "", "green");
$filter_Result = mysqli_query($connect, $sql);
return $filter_Result;
};
if($result = mysqli_query($link, $sql)){
if(mysqli_num_rows($result) > 0){
echo "<table class='table table-bordered table-striped'>";
echo "<thead>";
echo "<tr>";
echo "<th>ID</th>";
echo "<th>Name</th>";
echo "<th>Phone</th>";
echo "<th>Status</th>";
echo "<th>Reports</th>";
echo "<th>Rate</th>";
echo "<th>Action</th>";
echo "</tr>";
echo "</thead>";
echo "<tbody>";
while($row = mysqli_fetch_array($result)){
echo "<tr>";
echo "<td>" . $row['tag_h_id'] . "</td>";
echo "<td>" . $row['name'] . "</td>";
echo "<td>" . $row['phone'] . "</td>";
echo "<td>" . $row['c_code'] . "</td>";
echo "<td>" . $row['Reports'] . "</td>";
echo "<td>" . $row['purchase_price'] . "</td>";
echo "<td>";
echo "<a href='read.php?id=". $row['id'] ."' title='View Record' data-toggle='tooltip'><span class='glyphicon glyphicon-eye-open'></span></a>";
echo "<a href='update.php?id=". $row['id'] ."' title='Update Record' data-toggle='tooltip'><span class='glyphicon glyphicon-pencil'></span></a>";
echo "<a href='delete.php?id=". $row['id'] ."' title='Delete Record' data-toggle='tooltip'><span class='glyphicon glyphicon-trash'></span></a>";
echo "</td>";
echo "</tr>";
}
echo "</tbody>";
echo "</table>";
// Free result set
mysqli_free_result($result);
} else{
echo "<p class='lead'><em>No records were found.</em></p>";
}
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// Close connection
mysqli_close($link);
?>
</div>
</div>
</div>
</div>
</body>
</html>
正如 Jon P 正确指出的那样,如果没有准备好的语句,您的代码很容易受到 SQL 注入攻击。所以你真的需要使用准备好的语句重新编码 SQL 。但是,如果您只是在家用计算机上工作并且不担心数据库的安全性,那么下面是一个快速修复方法。
$sql 变量只是一个字符串,您需要使用连接来构建它。如下:
$sql = "SELECT
coh_items.id,
coh_items.tag_h_id,
coh_vendors.name,
coh_vendors.phone,
coh_vendors.c_code,
coh_items.purchase_price,
COUNT(tag_h_id) AS Reports
FROM
coh_items
INNER JOIN coh_vendors ON coh_items.tag_h_id = coh_vendors.id
WHERE
category_id = ".$catID."
GROUP BY
tag_h_id;";
编辑:
好的,所以我找到了问题。您将文本输入和提交输入都命名为 catID,但是由于提交在后面,它的值(过滤器)会覆盖文本中的值并在 POST 方法中使用。只需更改提交的名称或删除名称即可解决问题。
<p class="margin"></p>
<div class="input-group-btn">
<form action="http://localhost/fp/rt/index.php" method="post">
<input type="text" name = "catID" placeholder="Category" class="form-control"/>
<input type="submit" value= "Filter" class="btn btn-primary "/>
</form>
</div>