Fatal编程技术网
  • php/
  • Php 用户给定多个参数的mysql搜索查询

Php 用户给定多个参数的mysql搜索查询

php mysql

Php 用户给定多个参数的mysql搜索查询,php,mysql,Php,Mysql,我正在使用php开发一个搜索选项。在那里,我需要使用用户给定的条件进行搜索。当用户给定id、名称、状态这三个参数的任意组合时,用户可以进行搜索。下面是我的代码 if(isset($_POST['search'])) { echo "<script> document.getElementById('tblsearch').style.display = 'block' </script> "; $serviceNumbe

我正在使用php开发一个搜索选项。在那里,我需要使用用户给定的条件进行搜索。当用户给定id、名称、状态这三个参数的任意组合时,用户可以进行搜索。下面是我的代码

    if(isset($_POST['search']))
    {
        echo "<script> document.getElementById('tblsearch').style.display = 'block' </script> "; 

        $serviceNumber=$_POST['serviceNumber'];
        $name=$_POST['name'];
        $pendingfrom=$_POST['pendingfrom'];
        $status=$_POST['status'];
        $datefrom=$_POST['datefrom'];
        $dateto=$_POST['dateto'];
        $searchkey='serviceNumber';




$mysqli = new mysqli("localhost", "root", "", "user_management");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

    $query = 'SELECT * FROM user WHERE ';
    $where = array();
    $values = array();
    $types = '';

    if (!empty($_POST['serviceNumber'])) {
        $where[] = 'serviceNumber = ?';
        $values[] = $_POST['serviceNumber'];
        $types .= 'i';
    }

    if (!empty($_POST['name'])) {
        $where[] = 'Username = ?';
        $values[] = $_POST['name'];
        $types .= 's';
    }

    if (!empty($_POST['status'])) {
        $where[] = 'status = ?';
        $values[] = $_POST['status'];
        $types .= 's';
    }



      $query .= implode(' AND ',$where);
      printf("rows inserted: %d\n", $query);



  printf("rows inserted: %d\n", $values);

/* prepare statement */
if ($stmt = $mysqli->prepare($query)) {

    /* Bind variable for placeholder */

    $stmt->bind_param($types,$values);

    /* execute statement */

    $stmt->execute();
    $res = $stmt->get_result();
    $row = $res->fetch_assoc();

    printf("rows inserted: %d\n", $stmt->num_rows);

    /* close statement */
    $stmt->close();
}

/* close connection */
    $mysqli->close();
所以为了得到正确的结果,我需要怎么做

可以使用调用具有参数数组的函数。参数需要存储为引用,以便传递给方法。长话短说,您需要一个数组,其中第一个值是字符串,其余是对参数的引用

例如:

$bindParams = [$types];
foreach ($values as $key => $value) {
    $bindParams[$key] = &$value;
}

call_user_func_array(
  [$stmt, 'bind_param'], //array with the object and the method - callable
  $bindParams
);
请尝试使用以下命令:

     if(isset($_POST['search']))
      {
      echo "<script> document.getElementById('tblsearch').style.display = 'block' </script> "; 

    $serviceNumber=$_POST['serviceNumber'];
    $name=$_POST['name'];
    $pendingfrom=$_POST['pendingfrom'];
    $status=$_POST['status'];
    $datefrom=$_POST['datefrom'];
    $dateto=$_POST['dateto'];
    $searchkey='serviceNumber';




$mysqli = new mysqli("localhost", "root", "", "user_management");

/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}

$query = 'SELECT * FROM user WHERE ';

if (!empty($_POST['serviceNumber'])) {
   $query .="serviceNumber='$searchkey'  ";

}

if (!empty($_POST['name'])) {
          $query .="and Username='$name'  ";

}

if (!empty($_POST['status'])) {
    $where[] = 'status = ?';
    $values[] = $_POST['status'];
          $query .=" and status='$status' ";
}




/* prepare statement */
if ($stmt = $mysqli->prepare($query)) {

/* Bind variable for placeholder */

$stmt->bind_param($types,$values);

/* execute statement */

$stmt->execute();
$res = $stmt->get_result();
$row = $res->fetch_assoc();

printf("rows inserted: %d\n", $stmt->num_rows);

/* close statement */
$stmt->close();
}

     /* close connection */
$mysqli->close();
希望这有帮助。

您可以使用$values数组,并为循环的每次迭代绑定适当的参数。警告:mysqli_stmt::bind_param的参数2应为引用,在第331行的C:\xampp\htdocs\User_managemet\search.php中给出的值致命错误:未捕获错误:调用成员函数fetch_assoc on C:\xampp\htdocs\User_managemet\search.php:335堆栈跟踪:0{main}在第335行的C:\xampp\htdocs\User\u managemet\search.php中抛出,这将打开SQL注入。是一种可怕的做事方式。。。 
     if(isset($_POST['search']))
      {
      echo "<script> document.getElementById('tblsearch').style.display = 'block' </script> "; 

    $serviceNumber=$_POST['serviceNumber'];
    $name=$_POST['name'];
    $pendingfrom=$_POST['pendingfrom'];
    $status=$_POST['status'];
    $datefrom=$_POST['datefrom'];
    $dateto=$_POST['dateto'];
    $searchkey='serviceNumber';




$mysqli = new mysqli("localhost", "root", "", "user_management");

/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}

$query = 'SELECT * FROM user WHERE ';

if (!empty($_POST['serviceNumber'])) {
   $query .="serviceNumber='$searchkey'  ";

}

if (!empty($_POST['name'])) {
          $query .="and Username='$name'  ";

}

if (!empty($_POST['status'])) {
    $where[] = 'status = ?';
    $values[] = $_POST['status'];
          $query .=" and status='$status' ";
}




/* prepare statement */
if ($stmt = $mysqli->prepare($query)) {

/* Bind variable for placeholder */

$stmt->bind_param($types,$values);

/* execute statement */

$stmt->execute();
$res = $stmt->get_result();
$row = $res->fetch_assoc();

printf("rows inserted: %d\n", $stmt->num_rows);

/* close statement */
$stmt->close();
}

     /* close connection */
$mysqli->close();