PHP MySQL 查询参数化问题
Posted
技术标签:
【中文标题】PHP MySQL 查询参数化问题【英文标题】:PHP MySQL Query Parameterization Problems 【发布时间】:2015-09-15 01:48:57 【问题描述】:问题
嗨。我有以下完整代码:
<?php
require("config.inc.php");
// initial query
$query = "SELECT * FROM `appdrgreenthumb_plant_species`";
// counter for the number of conditions filled by user
// useful for determining when to add "AND" keywords to the query
$numConditions = 0;
// check if any of the fields are filled
if (!isset($_POST['btnSubmit']))
?>
<!DOCTYPE html>
<html>
<head>
<title>Search Dr. Green Thumb's Plant Infobook</title>
<style>
body
font-family: "Courier New", sans-serif;
font-size: 1em;
input[type="submit"]
font-family: "Courier New", sans-serif;
font-size: 1em;
width: 100%;
height: 1.5em;
.wrapper
width: 30em;
padding: 0.5em;
margin: 0 auto;
legend
font-size: 150%;
form
.include_items
width: 50%;
float: left;
margin: 0.5em 0 0.5em;
.form-group
margin: 0.3em 0 0.3em;
.form-group label
float: left;
width: 30%;
text-align: right;
margin-right: 0.1em;
.form-group input
width: 68%;
</style>
</head>
<body>
<div class="wrapper">
<form method="post" action="dictionary_search.php">
<fieldset>
<legend>Search</legend>
<div class="form-group">
<label>Plant ID:</label>
<input type="text" name="id" value="" />
</div>
<div class="form-group">
<label>Plant Name:</label>
<input type="text" name="name" value="" />
</div>
<div class="form-group">
<label>Plant Family:</label>
<input type="text" name="family" value="" />
</div>
<div class="include_items">
<fieldset>
<input type="checkbox" name="cb_id" value="id">Plant ID<br />
<input type="checkbox" name="cb_name" value="name">Plant Name<br />
<input type="checkbox" name="cb_family" value="plant">Plant Family<br />
</fieldset>
</div>
<!-- submit button -->
<input type="submit" value="Search" name="btnSubmit" />
</fieldset>
</form>
</div>
</body>
</html>
<?php
else
if (!empty($_POST['id']) ||
!empty($_POST['name']) ||
!empty($_POST['family'])
)
$query = $query . " WHERE ";
// check if the ID field is filled
if (!empty($_POST['id']))
$numConditions++;
$query = $query . InfoBookUtilities::appendAND($numConditions) . "`id`" . " = " . ":id";
$query_params[':id'] = $_POST['id']; // this is to avoid SQL injection
// check if the NAME field is filled
if (!empty($_POST['name']))
$numConditions++;
# $query = $query . InfoBookUtilities::appendAND($numConditions) . "`name`" . " LIKE " . "'%:name%'";
# $query_params[':name'] = $_POST['name']; // this is to avoid SQL injection
// check if the FAMILY field is filled
if (!empty($_POST['family']))
$numConditions++;
# $query = $query . InfoBookUtilities::appendAND($numConditions) . "`family`" . " LIKE " . "'%:family%'";
# $query_params[':family'] = $_POST['family']; // this is to avoid SQL injection
# echo $query;
?>
<?php
// Run the query:
try
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
catch (PDOException $ex)
$response["success"] = 0;
$response["message"] = "Database Error! <br />Exception: " . $ex->getMessage();
die(json_encode($response));
// finally, we can retrieve all of the found rows into an array using fetchAll
$rows = $stmt->fetchAll();
if ($rows)
$response["success"] = 1;
$response["message"] = "Records Available!";
$response["plants"] = array();
foreach ($rows as $row)
$plant = array();
if (isset($_POST['cb_id']))
$plant["id"] = $row["id"];
if (isset($_POST['cb_name']))
$plant["name"] = $row["name"];
if (isset($_POST['cb_family']))
$plant["family"] = $row["family"];
if (isset($_POST['cb_price_floor']) || !empty($_POST['cb_price_ceiling']))
$plant["price"] = $row["price"];
if (isset($_POST['cb_introduction']))
$plant["introduction"] = $row["introduction"];
if (isset($_POST['cb_climate_and_soil']))
$plant["climate_and_soil"] = $row["climate_and_soil"];
if (isset($_POST['cb_temperature_min']))
$plant["temperature_min"] = $row["temperature_min"];
if (isset($_POST['cb_temperature_max']))
$plant["temperature_max"] = $row["temperature_max"];
if (isset($_POST['cb_soil_type']))
$plant["soil_type"] = $row["soil_type"];
if (isset($_POST['cb_soil_ph_min']))
$plant["soil_ph_min"] = $row["soil_ph_min"];
if (isset($_POST['cb_soil_ph_max']))
$plant["soil_ph_max"] = $row["soil_ph_max"];
if (isset($_POST['cb_recommended_varieties']))
$plant["recommended_varieties"] = $row["recommended_varieties"];
if (isset($_POST['cb_land_preparation']))
$plant["land_preparation"] = $row["land_preparation"];
if (isset($_POST['cb_crop_management']))
$plant["crop_management"] = $row["crop_management"];
if (isset($_POST['cb_care']))
$plant["care"] = $row["care"];
if (isset($_POST['cb_nutrition_management']))
$plant["nutrition_management"] = $row["nutrition_management"];
if (isset($_POST['cb_water_management']))
$plant["water_management"] = $row["water_management"];
if (isset($_POST['cb_harvest_management']))
$plant["harvest_management"] = $row["harvest_management"];
if (isset($_POST['cb_pests']))
$plant["pests"] = $row["pests"];
if (isset($_POST['cb_diseases']))
$plant["diseases"] = $row["diseases"];
if (isset($_POST['cb_date_sow_begin']))
$plant["date_sow_begin"] = $row["date_sow_begin"];
if (isset($_POST['cb_date_sow_end']))
$plant["date_sow_end"] = $row["date_sow_end"];
if (isset($_POST['cb_growth_min']))
$plant["growth_min"] = $row["growth_min"];
if (isset($_POST['cb_growth_max']))
$plant["growth_max"] = $row["growth_max"];
if (isset($_POST['cb_image_location']))
$plant["image_location"] = $row["image_location"];
// update our repsonse JSON data
array_push($response["plants"], $plant);
// echoing JSON response
echo json_encode($response);
else
$response["success"] = 0;
$response["message"] = "No Records Available!";
die(json_encode($response));
?>
<?php
?>
<?php
class InfoBookUtilities
public static function appendAND ($numberOfConditions)
if ($numberOfConditions == 1)
return "";
else
return " AND ";
?>
长话短说:当我使用id 或name 文本框过滤我的结果时,我没有得到任何记录,即使我应该这样做。
假设我的表中有这条记录:
然后我在名称文本字段中输入单词“carrot”,选中我所有的复选框。我应该得到一个记录,我相信。但我得到了这个:
"success":0,"message":"No Records Available!"
我什么时候应该得到这个:
"success":1,"message":"Records Available!","plants":["id":"1","name":"Carrot","family":"Umbelliferae"]
另一个问题是,当我尝试同时使用两个文本字段进行搜索时,我收到此错误:
"success":0,"message":"Database Error!
Exception: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens"
我想这实际上只是我添加参数的方式的问题,因为当我这样做时(尽管这是不好的做法):
// check if the NAME field is filled
if (!empty($_POST['name']))
$numConditions++;
# $query = $query . InfoBookUtilities::appendAND($numConditions) . "`name`" . " LIKE " . "'%:name%'";
# $query_params[':name'] = $_POST['name']; // this is to avoid SQL injection
$query = $query . InfoBookUtilities::appendAND($numConditions) . "`name`" . " LIKE " . "'%" . $_POST['name'] . "%'";
// check if the FAMILY field is filled
if (!empty($_POST['family']))
$numConditions++;
# $query = $query . InfoBookUtilities::appendAND($numConditions) . "`family`" . " LIKE " . "'%:family%'";
# $query_params[':family'] = $_POST['family']; // this is to avoid SQL injection
$query = $query . InfoBookUtilities::appendAND($numConditions) . "`family`" . " LIKE " . "'%" . $_POST['family'] . "%'";
我完成了工作。
其他细节:
我能够很好地过滤掉 id 字段(使用我粘贴在最顶部的代码 --- 是的,很长)。
我通过 HTML 表单的文本框字段自定义(设置 WHERE 子句条件)我的 mysql 查询。复选框允许我过滤掉我在每一行中保留的“属性”,然后最终堆积在我的 JSON 数组中。
看起来像这样:
我已经看了几个小时了,我真的不知道出了什么问题。 :/
【问题讨论】:
取消注释这一行 # echo $query;并检查查询是否符合您的预期? 哦,我为这篇文章取消了评论。该查询对我来说看起来不错。按照我的“胡萝卜”示例:这是查询的样子:“SELECT * FROMappdrgreenthumb_plant_species WHERE name LIKE '%:name%'”。我不知道 :name 部分是否应该这样显示,或者它应该是 '%carrot%' 因为当我使用 ID 文本字段进行搜索时,我有查询:“SELECT * FROM @987654333 @ WHERE id = :id" 搜索成功。 ://
从占位符周围删除单引号,因为这将为您完成。然后尝试将通配符添加到占位符值中,而不是围绕占位符 -> ... `name`" . " LIKE " . ":name"; 和 $query_params[':name'] = "%".$_POST['name']."%";
知道了。非常感谢。
@IReallyWantToStayAnonymous 是否解决了您的问题?我可以将其添加为答案,以便可以关闭它(如果有的话)。
【参考方案1】:
通过将占位符包装在 '%..%' 中,您的最终值将类似于 - '%'carrot'%'。相反,您希望将通配符附加到您的 $_POST 值 - 即。 "%".$_POST['name']."%" 并允许 PDO 为您报价。所以现在你的代码看起来像 -
// check if the NAME field is filled
if (!empty($_POST['name']))
$numConditions++;
$query = $query . InfoBookUtilities::appendAND($numConditions) . "`name`" . " LIKE " . ":name";
$query_params[':name'] = "%".$_POST['name']."%"; // this is to avoid SQL injection
// check if the FAMILY field is filled
if (!empty($_POST['family']))
$numConditions++;
$query = $query . InfoBookUtilities::appendAND($numConditions) . "`family`" . " LIKE " . ":family";
$query_params[':family'] = "%".$_POST['family']."%"; // this is to avoid SQL injection
【讨论】:
以上是关于PHP MySQL 查询参数化问题的主要内容,如果未能解决你的问题,请参考以下文章
使用 MySql、PHP 和 ADODB 在准备好的语句中参数化 IN 子句
在带有 PDO 的 PHP 中,如何检查最终的 SQL 参数化查询? [复制]