Php 仅选择一个过滤器时进行过滤
我必须做一个汽车网站,根据预设的mysql数据库过滤汽车。 如果选择了所有车型(例如:本田、白色、汽油车和非特殊车型-它将显示该车),我会对其进行过滤,但如果我只想看到所有本田车型(例如)均未显示 这是我的代码:Php 仅选择一个过滤器时进行过滤,php,mysql,Php,Mysql,我必须做一个汽车网站,根据预设的mysql数据库过滤汽车。 如果选择了所有车型(例如:本田、白色、汽油车和非特殊车型-它将显示该车),我会对其进行过滤,但如果我只想看到所有本田车型(例如)均未显示 这是我的代码: if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) || isset($_GET['special'])){ if(isset($_GET['make'])){
if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) || isset($_GET['special'])){
if(isset($_GET['make'])){
$make = $_GET['make'];
}
if(isset($_GET['colour'])){
$colour = $_GET['colour'];
}
if(isset($_GET['fueltype'])){
$fueltype = $_GET['fueltype'];
}
if(isset($_GET['special'])){
$special = $_GET['special'];
}
$result = mysqli_query($con,"SELECT * FROM Cars WHERE MAKE ='$make' AND COLOUR = '$colour' AND FUELTYPE = '$fueltype' AND SPECIAL = '$special'");
}
else{
$result = mysqli_query($con,"SELECT * FROM Cars");
}
else语句使所有汽车在过滤前打开页面时显示。escape的意思是:mysql\u escape\u字符串,对照有效/允许值列表进行检查,或者经过深思熟虑后想要的任何东西
$where = "";
$separator = " WHERE ";
if(isset($_GET['make'])){
$make = $_GET['make'];
!! escape here
$where .= $separator . " MAKE = '$make' ";
$separator = " AND ";
}
if(isset($_GET['colour'])){
$colour = $_GET['colour'];
!! escape here
$where .= $separator . " COLOUR = '$colour' ";
$separator = " AND ";
}
...
$result = mysqli_query($con,"SELECT * FROM Cars " . $where);
这是你可以做到的。请为sql注入攻击做些什么。这只是一个例子
$query = "SELECT * FROM Cars ";
$where = array();
if(isset($_GET['make'])){
$where['make'] = $_GET['make'];
}
if(isset($_GET['colour'])){
$where['colour'] = $_GET['colour'];
}
if(isset($_GET['fueltype'])){
$where['fueltype'] = $_GET['fueltype'];
}
if(isset($_GET['special'])){
$where['special'] = $_GET['special'];
}
$string = '';
if(count($where)>0){
$i=0;
foreach($where as $key => $value)
{
if($i==0){
$string .= " WHERE $key = $value ";
}else{
$string .= " AND $key = $value ";
}
$i++;
}
}
$query .= $string;
mysqli_query($query);
忽略安全问题,您可以使用以下内容替换整个代码:
$query = "SELECT * FROM Cars WHERE 1 = 1";
if (isset($_GET['make']))
$query .= ' AND MAKE = ' . (int) $_GET['make'];
if (isset($_GET['colour']))
$query .= ' AND COLOUR = ' . (int) $_GET['colour'];
if (isset($_GET['fueltype']))
$query .= ' AND FUELTYPE = ' . (int) $_GET['fueltype'];
if (isset($_GET['special']))
$query .= ' AND SPECIAL = ' . (int) $_GET['special'];
$result = mysqli_query($con, $query);
注意:攻击的可能性很高。添加,这是最好的解决方案。什么是sql注入攻击?这只是一个大学项目,它不会在互联网上直播。我还必须为此做些什么,如果是,怎么做?@user2136106。虽然这可能是拼贴项目,但您应该学会防止sql注入。此外,在拼贴项目中,应用安全性将是您的加分。为什么您的if语句没有{}?我如何在没有它们的情况下将else添加到这里?抱歉,如果这是一个愚蠢的问题,这对我来说是全新的如果
语句没有括号,那么只有在条件为true时才会执行下一条指令。您可以在指令之后添加else,关于方括号的规则与上面相同。不管怎么说,这是一种不好的做法,你应该始终使用括号
$query = "SELECT * FROM Cars WHERE 1 = 1";
if (isset($_GET['make']))
$query .= ' AND MAKE = ' . (int) $_GET['make'];
if (isset($_GET['colour']))
$query .= ' AND COLOUR = ' . (int) $_GET['colour'];
if (isset($_GET['fueltype']))
$query .= ' AND FUELTYPE = ' . (int) $_GET['fueltype'];
if (isset($_GET['special']))
$query .= ' AND SPECIAL = ' . (int) $_GET['special'];
$result = mysqli_query($con, $query);