Php mysql搜索返回整个表
我使用这个PHP来执行搜索,但是它返回表中的所有内容,而不是与搜索相关的任何内容……我还收到了一个“mysqli\u real\u escape\u string”错误,但我不确定它是否相关Php mysql搜索返回整个表,php,mysql,search,Php,Mysql,Search,我使用这个PHP来执行搜索,但是它返回表中的所有内容,而不是与搜索相关的任何内容……我还收到了一个“mysqli\u real\u escape\u string”错误,但我不确定它是否相关 <?php $con=mysqli_connect("***","***","***","***"); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_
<?php
$con=mysqli_connect("***","***","***","***");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search results</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="style.css"/>
</head>
<body>
<?php
$query = $_GET['query'];
// gets value sent over search form
$min_length = 3;
// you can set minimum length of the query if you want
if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then
$query = htmlspecialchars($query);
// changes characters used in html to their equivalents, for example: < to >
$query = mysqli_real_escape_string($query);
// makes sure nobody uses SQL injection
$raw_results = mysqli_query($con,"SELECT * FROM test_table
WHERE ('email' LIKE '%".$query."%') OR ('pw' LIKE '%".$query."%')") or die(mysqli_error());
if(mysqli_num_rows($raw_results) > 0){ // if one or more rows are returned do following
echo "<table border='1'>
<tr>
<th>email</th>
<th>pw</th>
</tr>";
while($results = mysqli_fetch_array($raw_results)){
// $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop
echo "<tr><td>".$results['email']."</td><td>".$results['pw']."</td></tr>";
//echo "<p><h3>".$results['email']."</h3>".$results['pw']."<br/>".$results['ID']."</p>";
}
}
else{ // if there is no matching rows do following
echo "No results";
}
}
else{ // if query length is less than minimum
echo "Minimum length is ".$min_length;
}
?>
</body>
</html>
搜索结果
你的查询不正确。您应该使用反勾号,而不是引号
$raw_results = mysqli_query($con,"SELECT * FROM test_table
WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')") or
die(mysqli_error());
此外,mysqli_real_escape_字符串要求第一个参数为$con
$query = mysqli_real_escape_string($con, $query);
您转义列名是错误的,它们应该用反勾号转义,而不是单引号
'email' -- the string "email".
`email` -- the column "email".
换言之,它应该是
WHERE (`email` LIKE '%".$query."%') OR (`pw` LIKE '%".$query."%')"
作为补充说明,您最好使用参数化查询,而不是使用mysqli\u real\u escape\u string()
将查询构建为字符串。这有利于安全性,并且可以为数据库计算查询
如果仍要在过程类型调用中使用它(正如您所做的),则需要将连接作为第一个参数传递给它
$query = mysqli_real_escape_string($con, $query);
您需要以不同的方式引用您的查询。试试这个:
"SELECT * FROM test_table WHERE (`email` LIKE '%" . $query . "%') OR (`pw` LIKE '%" . $query . "%')"
此外,您的mysqli\u real\u escape\u字符串中需要$con,如:
mysqli_real_escape_string($con, $query)
谢谢这就解决了问题……关于参数化查询而不是转义字符串,你有什么建议让我学习如何执行吗?@user1958605是一个相当不错的快速入门,它展示了执行查询的不同风格。
mysqli_real_escape_string($con, $query)