Php mysqli准备语句搜索表单
大家好,这是第二次 最近我问了一个问题,关于清理一些我一直在编写的丑陋代码,并很快得到了我所要求的帮助。谢谢你 原始问题线索如下: 我很快被指示在mysqli中使用预先准备好的语句,而不是我一直在做的避免SQL注入之类的事情。我知道我会接受这个建议,所以这并不奇怪。因此,我做了更多的挖掘,并相应地重新编写了原始代码。但现在我已经打破了形式 有人愿意看看我遗漏了什么吗?我对这一切都是新手,我在互联网上的搜索并没有帮助我自己调试Php mysqli准备语句搜索表单,php,html,mysqli,Php,Html,Mysqli,大家好,这是第二次 最近我问了一个问题,关于清理一些我一直在编写的丑陋代码,并很快得到了我所要求的帮助。谢谢你 原始问题线索如下: 我很快被指示在mysqli中使用预先准备好的语句,而不是我一直在做的避免SQL注入之类的事情。我知道我会接受这个建议,所以这并不奇怪。因此,我做了更多的挖掘,并相应地重新编写了原始代码。但现在我已经打破了形式 有人愿意看看我遗漏了什么吗?我对这一切都是新手,我在互联网上的搜索并没有帮助我自己调试 <!DOCTYPE html> <html>
<!DOCTYPE html>
<html>
<head>
<title>Client Search Results</title>
<link rel="stylesheet" href="styles.css">
</head>
<body>
<div class="container">
<form id="contact" action="" method="post">
<fieldset>
<h4>Search For Client</h4>
<input name="search" placeholder="Enter Name Here" type="text">
</fieldset>
<fieldset>
<button type="submit">Search</button>
</fieldset>
</form>
</div>
<div class='container'>
<form id='contact' action='edit.php' method='post'>
<fieldset>
<h4>Search Results</h4>
<select size="5" style="width:100%" name='id' >
<?php
// Include database communication info
include("../../comm/com.php");
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Search
$search = "%{$_POST['search']}%";
$stmt = $db->prepare("SELECT client_id, firstname, lastname, city, state FROM client WHERE firstname LIKE ?");
$stmt->bind_param("s", $search);
$stmt->execute();
$stmt->store_result();
$numRows = $stmt->num_rows;
$stmt->bind_result($client_id, $firstname, $lastname, $city, $state);
if($result > 0) {
while ($stmt->fetch()) {
echo "<option value='$client_id'>$firstname $lastname - $city, $state</option>";
}
}
$stmt->close();
?>
</select>
</fieldset>
<fieldset>
<button type='submit' name='submit'>View Selection</button>
</fieldset>
</form>
<div>
</body>
</html>
客户端搜索结果
搜索客户
搜寻
搜索结果
在多次重新编写此代码之后,在收到来自不同方向的帮助之后,这就是我确定的代码。像我想要的那样工作,看起来很可靠
<html>
<head>
<title>Client Search Results</title>
<link rel="stylesheet" href="styles.css">
</head>
<body>
<div class="container">
<form id="contact" action="" method="post">
<fieldset>
<h4>Search For Client</h4>
<input name="search" placeholder="Enter Name Here" type="text" autofocus>
</fieldset>
<fieldset>
<button type="submit">Search</button>
</fieldset>
</form>
</div>
<div class='container'>
<form id='contact' action='edit.php' method='post'>
<fieldset>
<h4>Search Results</h4>
<select size="5" style="width:100%" name='client_id' >
<?php
// Retrieve Search Term
if (isset($_POST['search'])) {
$search = "%{$_POST['search']}%";
}
// Include Connection Credentials
include("../../comm/com.php");
//Connection to Database
$link = mysqli_connect($servername, $username, $password, $dbname);
// Connection Error Check
if ($link->connect_errno) {
echo "Sorry, there seems to be a connection issue.";
exit;
}
// Prepared Statement For Database Search
if ($stmt = $link->prepare("SELECT client_id, firstname, lastname, city, state FROM client WHERE firstname LIKE ? OR lastname LIKE ?")) {
// Bind Search Variable
$stmt->bind_param('ss', $search, $search);
// Execute the Statement
$stmt->execute();
// Bind Variables to Prepared Statement
$stmt->bind_result($client_id, $firstname, $lastname, $city, $state);
// Fetch Values
while ($stmt->fetch()) {
// Display Results of Search
echo "<option value='$client_id'>$firstname $lastname - $city, $state</option>";
}
}
// Close Statment
$stmt->close();
// Disconnect from Database
mysqli_close($link);
?>
</select>
</fieldset>
<fieldset>
<button type='submit' name='submit'>View Selection</button>
</fieldset>
</form>
<div>
</body>
</html>
客户端搜索结果
搜索客户
搜寻
搜索结果