无法在 PHP MySQL 查询中获取 OR 语句
Having trouble getting search to pick up OR statement in PHP MySQL Query
目前正在构建一个 CRUD 系统来跟踪产品编号。在我为搜索设置的查询中,它似乎除了 'p.name' 什么都没有,但没有找到任何其他东西,无论我把它放在搜索的 WHERE 语句中的第一位还是第二位功能。
但是如果我将第二个函数中的 p.name 更改为其他内容,它会选择它。
如果我添加 "OR p.family LIKE ?",查询将不会执行。
这是商品搜索代码。我添加了评论“//--我可以在这里添加另一个 LIKE 吗?”
<?php
class Product{
// database connection and table name
private $conn;
private $table_name = "products";
private $table2_name = "deleted_products";
// object properties
public $id;
public $name;
public $family;
public $number;
public $description;
public $ext_description;
public $category_id;
public $timestamp;
public $timestamp2;
public function __construct($db){
$this->conn = $db;
}
public function search($search_term, $from_record_num, $records_per_page){
// select query
$query = "SELECT
c.name as category_name, p.id, p.name, p.family, p.description, p.ext_description, p.number, p.category_id, p.created
FROM
" . $this->table_name . " p
LEFT JOIN
categories c
ON p.category_id = c.id
WHERE
p.family LIKE ? OR p.description LIKE ?
ORDER BY
p.name ASC
LIMIT
?, ?";
// prepare query statement
$stmt = $this->conn->prepare( $query );
// bind variable values
$search_term = "%{$search_term}%";
$stmt->bindParam(1, $search_term);
$stmt->bindParam(2, $search_term);
$stmt->bindParam(3, $from_record_num, PDO::PARAM_INT);
$stmt->bindParam(4, $records_per_page, PDO::PARAM_INT);
// execute query
$stmt->execute();
// return values from database
return $stmt;
}
public function countAll_BySearch($search_term){
// select query
$query = "SELECT
COUNT(*) as total_rows
FROM
" . $this->table_name . " p
LEFT JOIN
categories c
ON p.category_id = c.id
WHERE
p.name LIKE ?"; // ---- Can I add another LIKE here?
// prepare query statement
$stmt = $this->conn->prepare( $query );
// bind variable values
$search_term = "%{$search_term}%";
$stmt->bindParam(1, $search_term);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
return $row['total_rows'];
}
}
这是用于搜索的页面
<?php
// core.php holds pagination variables
include_once 'config/core.php';
// include database and object files
include_once 'config/database.php';
include_once 'objects/product.php';
include_once 'objects/category.php';
// instantiate database and product object
$database = new Database();
$db = $database->getConnection();
$product = new Product($db);
$category = new Category($db);
// get search term
$search_term=isset($_GET['s']) ? $_GET['s'] : '';
$page_title = "You searched for \"{$search_term}\"";
include_once "header.php";
// query products
$stmt = $product->search($search_term, $from_record_num, $records_per_page);
//$stmt = $product->readAll($from_record_num, $records_per_page);
// specify the page where paging is used
$page_url="search.php?s={$search_term}&";
// count total rows - used for pagination
$total_rows=$product->countAll_BySearch($search_term);
// read_template.php controls how the product list will be rendered
include_once "read_template.php";
// footer.php holds our javascript and closing html tags
include_once "footer.php";
?>
如果有人能帮助我,那就太好了!谢谢。
您应该能够像第一次那样做。查询中的每个值都需要一个占位符,然后每个占位符都需要一个绑定。
$query = "SELECT
COUNT(*) as total_rows
FROM
" . $this->table_name . " p
LEFT JOIN
categories c
ON p.category_id = c.id
WHERE
p.name LIKE ? OR p.description LIKE ?";
// prepare query statement
$stmt = $this->conn->prepare( $query );
// bind variable values
$search_term = "%{$search_term}%";
$stmt->bindParam(1, $search_term);
$stmt->bindParam(2, $search_term);
bindParam函数的第一个参数是它如何映射到查询中的占位符,1表示它与第一个占位符匹配。另一种语法是在 execute.
中传递绑定
$stmt = $this->conn->prepare( $query );
$search_term = "%{$search_term}%";
$stmt->execute(array($search_term, $search_term));
此外,直接在 DOM 中使用用户提供的数据会导致 XSS 注入。您应该对输入进行转义,这样恶意代码就无法执行。
$search_term=isset($_GET['s']) ? htmlspecialchars($_GET['s'], ENT_QUOTES) : '';
目前正在构建一个 CRUD 系统来跟踪产品编号。在我为搜索设置的查询中,它似乎除了 'p.name' 什么都没有,但没有找到任何其他东西,无论我把它放在搜索的 WHERE 语句中的第一位还是第二位功能。
但是如果我将第二个函数中的 p.name 更改为其他内容,它会选择它。
如果我添加 "OR p.family LIKE ?",查询将不会执行。
这是商品搜索代码。我添加了评论“//--我可以在这里添加另一个 LIKE 吗?”
<?php
class Product{
// database connection and table name
private $conn;
private $table_name = "products";
private $table2_name = "deleted_products";
// object properties
public $id;
public $name;
public $family;
public $number;
public $description;
public $ext_description;
public $category_id;
public $timestamp;
public $timestamp2;
public function __construct($db){
$this->conn = $db;
}
public function search($search_term, $from_record_num, $records_per_page){
// select query
$query = "SELECT
c.name as category_name, p.id, p.name, p.family, p.description, p.ext_description, p.number, p.category_id, p.created
FROM
" . $this->table_name . " p
LEFT JOIN
categories c
ON p.category_id = c.id
WHERE
p.family LIKE ? OR p.description LIKE ?
ORDER BY
p.name ASC
LIMIT
?, ?";
// prepare query statement
$stmt = $this->conn->prepare( $query );
// bind variable values
$search_term = "%{$search_term}%";
$stmt->bindParam(1, $search_term);
$stmt->bindParam(2, $search_term);
$stmt->bindParam(3, $from_record_num, PDO::PARAM_INT);
$stmt->bindParam(4, $records_per_page, PDO::PARAM_INT);
// execute query
$stmt->execute();
// return values from database
return $stmt;
}
public function countAll_BySearch($search_term){
// select query
$query = "SELECT
COUNT(*) as total_rows
FROM
" . $this->table_name . " p
LEFT JOIN
categories c
ON p.category_id = c.id
WHERE
p.name LIKE ?"; // ---- Can I add another LIKE here?
// prepare query statement
$stmt = $this->conn->prepare( $query );
// bind variable values
$search_term = "%{$search_term}%";
$stmt->bindParam(1, $search_term);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
return $row['total_rows'];
}
}
这是用于搜索的页面
<?php
// core.php holds pagination variables
include_once 'config/core.php';
// include database and object files
include_once 'config/database.php';
include_once 'objects/product.php';
include_once 'objects/category.php';
// instantiate database and product object
$database = new Database();
$db = $database->getConnection();
$product = new Product($db);
$category = new Category($db);
// get search term
$search_term=isset($_GET['s']) ? $_GET['s'] : '';
$page_title = "You searched for \"{$search_term}\"";
include_once "header.php";
// query products
$stmt = $product->search($search_term, $from_record_num, $records_per_page);
//$stmt = $product->readAll($from_record_num, $records_per_page);
// specify the page where paging is used
$page_url="search.php?s={$search_term}&";
// count total rows - used for pagination
$total_rows=$product->countAll_BySearch($search_term);
// read_template.php controls how the product list will be rendered
include_once "read_template.php";
// footer.php holds our javascript and closing html tags
include_once "footer.php";
?>
如果有人能帮助我,那就太好了!谢谢。
您应该能够像第一次那样做。查询中的每个值都需要一个占位符,然后每个占位符都需要一个绑定。
$query = "SELECT
COUNT(*) as total_rows
FROM
" . $this->table_name . " p
LEFT JOIN
categories c
ON p.category_id = c.id
WHERE
p.name LIKE ? OR p.description LIKE ?";
// prepare query statement
$stmt = $this->conn->prepare( $query );
// bind variable values
$search_term = "%{$search_term}%";
$stmt->bindParam(1, $search_term);
$stmt->bindParam(2, $search_term);
bindParam函数的第一个参数是它如何映射到查询中的占位符,1表示它与第一个占位符匹配。另一种语法是在 execute.
$stmt = $this->conn->prepare( $query );
$search_term = "%{$search_term}%";
$stmt->execute(array($search_term, $search_term));
此外,直接在 DOM 中使用用户提供的数据会导致 XSS 注入。您应该对输入进行转义,这样恶意代码就无法执行。
$search_term=isset($_GET['s']) ? htmlspecialchars($_GET['s'], ENT_QUOTES) : '';