1. 首頁
  2. 問答
  3. PHP/MySQL搜索不起作用

PHP/MySQL搜索不起作用

2013-03-27 71 views
0

我在PHP/MySQL搜索中遇到了一些困難。它在一年前運行良好,但由於某種原因它剛剛停止工作。我嘗試過搜索並找不到它。我有它迴應我的查詢,但它永遠不會在WHERE子句中添加。任何幫助深表感謝。PHP/MySQL搜索不起作用

表格代號:

<form name="search" method="post"> 
    <p><b>Name of Property:</b> <input type="text" id="NameSrch" name="NameSrch" /> (optional)</p> 
    <p><b>City Your Looking to Stay In:</b> <input type="text" id="CitySrch" name="CitySrch" /> (optional)</p> 
    <p><b>Listing ID Number:</b> <input type="text" id="RentalIDSrch" name="RentalIDSrch" /> (optional)</p> 
    <p><b>Number of Bedrooms:</b> <input type="text" id="BedroomSrch" name="BedroomSrch" /> (optional)</p> 
    <p><b>Number of Bathrooms:</b> <input type="text" id="BathroomSrch" name="BathroomSrch" /> (optional)</p> 
    <p><b>Maximum Occupancy:</b> <input type="text" id="SleepsSrch" name="SleepsSrch" /> (optional)</p> 
    <input type="hidden" name="method" value="exSearch"> 
    <p><input type="submit" value="Search" /></p> 
</form>

PHP代碼:

<? 
         $method = $_POST['method']; 

         if($method == 'exSearch') { 

          // Start Results Display 


          $con = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql: ' . mysql_error()); 
          mysql_select_db($dbname); 

          $query_string = 'SELECT * FROM TABLE '; 

          $location_result_string = ""; 
          $location_count = 0; 


           if ($NameSrch) { 
            if ($location_count > 0) { 
             $location_result_string = $location_result_string . " AND "; 
            } 
            $location_count = $location_count + 1; 
            $location_result_string = $location_result_string . ' (propName) LIKE ("%$NameSrch%") '; 
           } 

           if ($CitySrch) { 
            if ($location_count > 0) { 
             $location_result_string = $location_result_string . " AND "; 
            } 
            $location_count = $location_count + 1; 
            $location_result_string = $location_result_string . ' (propCity) LIKE ("%$CitySrch%") '; 
           } 

           if ($RentalIDSrch) { 
            if ($location_count > 0) { 
             $location_result_string = $location_result_string . " AND "; 
            } 
            $location_count = $location_count + 1; 
            $location_result_string = $location_result_string . ' (propID) LIKE ("%$RentalIDSrch%") '; 
           } 

           if ($BedroomSrch) { 
            if ($location_count > 0) { 
             $location_result_string = $location_result_string . " AND "; 
            } 
            $location_count = $location_count + 1; 
            $location_result_string = $location_result_string . ' (propBedrooms) LIKE ("%$BedroomSrch%") '; 
           } 

           if ($BathroomSrch) { 
            if ($location_count > 0) { 
             $location_result_string = $location_result_string . " AND "; 
            } 
            $location_count = $location_count + 1; 
            $location_result_string = $location_result_string . ' (propBaths) LIKE ("%$BathroomSrch%") '; 
           } 

           if ($SleepsSrch) { 
            if ($location_count > 0) { 
             $location_result_string = $location_result_string . " AND "; 
            } 
            $location_count = $location_count + 1; 
            $location_result_string = $location_result_string . ' (propSleeps) LIKE ("%$SleepsSrch%") '; 
           } 



          if ($location_count > 0) { 
           $location_result_string = "WHERE (" . $location_result_string . ")"; 

           $query_string = $query_string . $location_result_string;  
          } 

          $re = mysql_query($query_string, $con) or die (mysql_error()); 

          $number_of_rows = mysql_num_rows($re); 




          // Loop through each item in the result set     
          for ($h = 0; $h < $number_of_rows; $h++) 
          { 

          $propID = mysql_result($re, $h, 'propID'); 
          $propAvail = mysql_result($re, $h, 'propAvail'); 
          $propPets = mysql_result($re, $h, 'propPets'); 
          $propName = mysql_result($re, $h, 'propName'); 
          $propPropertyType = mysql_result($re, $h, 'propPropertyType'); 
          $propPriceRange = mysql_result($re, $h, 'propPriceRange'); 
          $propBedrooms = mysql_result($re, $h, 'propBedrooms'); 
          $propBaths = mysql_result($re, $h, 'propBaths'); 
          $propPropertyType = mysql_result($re, $h, 'propPropertyType'); 
          $propSleeps = mysql_result($re, $h, 'propSleeps'); 
          $propPic1 = mysql_result($re, $h, 'propPic1'); 
          $propPicDesc1 = mysql_result($re, $h, 'propPicDesc1'); 

          $nameLen = strlen($propName); 
          $petsLen = strlen($propPets); 
          $pets = $propPets; 


                  //Results go here 

          } 
          echo $query_string; 
          } 


          // End Results Display 

          ?>

來源

2013-03-27 user2216962

+0

如何都是變量,比如'$ NameSrch,$ CitySrch'集?他們是否設置了或者你是否期望通過POST設置它們?因爲這不起作用。您可以通過$ _POST ['fieldName']訪問發佈的內容。另外,訪問字符串中的變量如'blablabla'。$ sName。'額外';或者如果你使用雙引號,你可以像「blablabla {$ sName} extra」那樣做。 – 2013-03-27 18:44:32

+1

這可能是問題所在。如果你有'REGISTER_GLOBALS = ON'的設置,這個代碼可以工作,但是'REGISTER_GLOBALS = OFF'(它應該是),你必須通過'$ _POST'訪問變量 – kero 2013-03-27 18:46:27

+0

如果像'$ NameSrch'這樣的變量被直接使用從用戶的輸入來看,你的腳本可能容易受到SQL注入的影響。 – Gumbo 2013-03-27 18:50:12

回答

1

如果我的假設是對的,從直接的形式被提取的變量,你必須有註冊的,其全局沒有提供建議,因爲它帶來了很大的安全風險。相反,我已經用正確的方式調整了您的PHP代碼,還修復了包含在查詢字符串中的變量。

<?php 
$method = $_POST['method']; 
if($method == 'exSearch') { 
    // Start Results Display 
    $con = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql: ' . mysql_error()); 
    mysql_select_db($dbname); 
    $query_string = 'SELECT * FROM TABLE '; 
    $location_result_string = ""; 
    $location_count = 0; 
    if ($_POST['NameSrch']) { 
     if ($location_count > 0) { 
      $location_result_string = $location_result_string . " AND "; 
     } 
     $location_count = $location_count + 1; 
     $location_result_string = $location_result_string . ' (propName) LIKE ("%'.$_POST['NameSrch'].'%") '; 
    } 
    if ($_POST['CitySrch']) { 
     if ($location_count > 0) { 
      $location_result_string = $location_result_string . " AND "; 
     } 
     $location_count = $location_count + 1; 
     $location_result_string = $location_result_string . ' (propCity) LIKE ("%'.$_POST['CitySrch'].'%") '; 
    } 
    if ($_POST['RentalIDSrch']) { 
     if ($location_count > 0) { 
      $location_result_string = $location_result_string . " AND "; 
     } 
     $location_count = $location_count + 1; 
     $location_result_string = $location_result_string . ' (propID) LIKE ("%'.$_POST['RentalIDSrch'].'%") '; 
    } 
    if ($_POST['BedroomSrch']) { 
     if ($location_count > 0) { 
      $location_result_string = $location_result_string . " AND "; 
     } 
     $location_count = $location_count + 1; 
     $location_result_string = $location_result_string . ' (propBedrooms) LIKE ("%'.$_POST['BedroomSrch'].'%") '; 
    } 
    if ($_POST['BathroomSrch']) { 
     if ($location_count > 0) { 
      $location_result_string = $location_result_string . " AND "; 
     } 
     $location_count = $location_count + 1; 
     $location_result_string = $location_result_string . ' (propBaths) LIKE ("%'.$_POST['BathroomSrch'].'%") '; 
    } 
    if ($_POST['SleepsSrch']) { 
     if ($location_count > 0) { 
      $location_result_string = $location_result_string . " AND "; 
     } 
     $location_count = $location_count + 1; 
     $location_result_string = $location_result_string . ' (propSleeps) LIKE ("%'.$_POST['SleepsSrch'].'%") '; 
    } 
    if ($location_count > 0) { 
     $location_result_string = "WHERE (" . $location_result_string . ")"; 
     $query_string = $query_string . $location_result_string;  
    } 
    $re = mysql_query($query_string, $con) or die (mysql_error()); 
    $number_of_rows = mysql_num_rows($re); 
    // Loop through each item in the result set     
    for ($h = 0; $h < $number_of_rows; $h++) 
    { 
     $propID = mysql_result($re, $h, 'propID'); 
     $propAvail = mysql_result($re, $h, 'propAvail'); 
     $propPets = mysql_result($re, $h, 'propPets'); 
     $propName = mysql_result($re, $h, 'propName'); 
     $propPropertyType = mysql_result($re, $h, 'propPropertyType'); 
     $propPriceRange = mysql_result($re, $h, 'propPriceRange'); 
     $propBedrooms = mysql_result($re, $h, 'propBedrooms'); 
     $propBaths = mysql_result($re, $h, 'propBaths'); 
     $propPropertyType = mysql_result($re, $h, 'propPropertyType'); 
     $propSleeps = mysql_result($re, $h, 'propSleeps'); 
     $propPic1 = mysql_result($re, $h, 'propPic1'); 
     $propPicDesc1 = mysql_result($re, $h, 'propPicDesc1'); 
     $nameLen = strlen($propName); 
     $petsLen = strlen($propPets); 
     $pets = $propPets; 
     // Results go here 
    } 
    echo $query_string; 
} 
// End Results Display 

?>

我也建議您驗證輸入和檢查,如果你得到你想要的,就像如果你想要的數字,驗證它是一個數字數據類型,這樣你就不太容易受到SQL注入。還可以使用mysql_real_escape_string(http://php.net/manual/en/function.mysql-real-escape-string.php)來清理數據。

如果你希望你的腳本在將來aswell工作,我建議在PDO上學一兩門課,因爲在不久的將來,PHP將擺脫MySQL庫。

來源

2013-03-27 18:55:34

0

您正在使用變量$NameSrch,$CitySrch等,但未定義它們。因爲它們與表單輸入的名稱相匹配,所以我假設你最初打開了register_globals,現在它已關閉(或者如果您使用的是PHP 5.4.0,則將其刪除)。

您需要將其更改爲$_POST['NameSrch']$_POST['CitySrch']

來源

2013-03-27 18:56:26 MichaelRushton

相關問題

 相關問題