堆栈内存溢出
  简体   繁体   English

创建条件SQL查询

[英]Creating conditional sql query

 原文  2013-08-12 17:13:51       php/ mysql/ conditional

问题描述

I am having a problem getting a query to work (and also am questioning the security of the query). 我在使查询正常工作时遇到了问题(也对查询的安全性提出了质疑)。 

  if(isset($_POST)){
        $sql = "SELECT * FROM members WHERE";

     if($_POST['FirstName_S'] !== ''){
        $sql .= " FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
     }
     if($_POST['LastName_S'] !== ''){
        $sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
     }
     if($_POST['Firm_S'] !== ''){
        $sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
     }
     if($_POST['Country_S'] !== ''){
        $sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
     }
     if($_POST['City_S'] !== ''){
        $sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
     }
     if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
        $sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
     }
  }

Obviously, if FirstName_S is undefined, the query breaks saying "WHERE OR". 显然,如果FirstName_S未定义,查询将中断并显示“ WHERE OR”。 It seems like it would have a logical fix, but I've been staring at it for a little too long. 似乎有一个合理的解决方法,但我盯着它看了太久了。

Also, sql injection was brought up as a concern, and as a side-question, would sanitizing the input be enough? 另外,SQL注入引起了人们的关注,并且作为一个附带问题,对输入进行处理是否足够? Or is this altogether bad practice? 还是这完全是不好的做法?

6 个解决方案

解决方案1
 3 已采纳  2013-08-12 17:25:39

  if(isset($_POST)){
        $sql = "SELECT * FROM members WHERE";

     if($_POST['FirstName_S'] !== ''){
        $sql .= "OR FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
     }
     if($_POST['LastName_S'] !== ''){
        $sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
     }
     if($_POST['Firm_S'] !== ''){
        $sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
     }
     if($_POST['Country_S'] !== ''){
        $sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
     }
     if($_POST['City_S'] !== ''){
        $sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
     }
     if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
        $sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
     }

    $sql=str_replace("WHERE OR","WHERE",$sql);   // quick dirty fix

  }

Ofcourse you'd need to sanitize the input, but since you didn't mention which MySQL API you use, I did not add any sanitization functions yet. 当然,您需要清理输入,但是由于您没有提到要使用哪个MySQL API,因此我还没有添加任何清理功能。 You can look at http://php.net/mysqli_real_escape_string 您可以看一下http://php.net/mysqli_real_escape_string

解决方案2
 2  2013-08-12 17:26:54

do it other way as follow 按照其他方式做 

if(isset($_POST)){
        $sql = "SELECT * FROM members WHERE";

     if($_POST['FirstName_S'] !== ''){
        $sql_arr[]=" FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";

     }
     if($_POST['LastName_S'] !== ''){
        $sql_arr[]= " LastName LIKE '%" . $_POST['LastName_S'] . "%'";
     }
     if($_POST['Firm_S'] !== ''){
        $sql_arr[]= " Firm LIKE '%" . $_POST['Firm_S'] . "%'";
     }
     if($_POST['Country_S'] !== ''){
        $sql_arr[]= " Country LIKE '%" . $_POST['Country_S'] . "%'";
     }
     if($_POST['City_S'] !== ''){
        $sql_arr[]= " City LIKE '%" . $_POST['City_S'] . "%'";
     }
     if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
        $sql_arr[]= " State LIKE '%" . $_POST['State_S'] . "%'";
     }
     if(!empty($sql_arr)){
       $sql.=implode(' OR ',$sql_arr);
}

  }

解决方案3
 2  2013-08-12 17:41:29

The quick fix is to add 1=1 to your query, so your query ends with WHERE 1=1 . 快速解决方案是向查询中添加1=1 ,因此您的查询以WHERE 1=1结尾。 That allows you to be free to append any number of OR something to your query, without being concerned with omitting the OR on the first one. 这样一来,您就可以自由地向查询中添加任意数量的OR something ,而不必担心在第一个查询中省略OR

(That 1=1 predicate doesn't cause any problem; that will be evaluated at parse time, and doesn't appear in the execution plan.) (1 = 1谓词不会引起任何问题;它将在解析时进行评估,并且不会出现在执行计划中。)

As to SQL Injection, yes, this code is susceptible. 对于SQL注入,是的,此代码易受攻击。 If you are using mysql interface, then sanitize the post variables with mysql_real_escape_string function. 如果使用的是mysql接口,请使用mysql_real_escape_string函数mysql_real_escape_string post变量。 If you are using mysqli or PDO (and you should be), then use parameterized queries. 如果您正在使用mysqli或PDO(应该使用),则使用参数化查询。

解决方案4
 1  2013-08-12 17:27:31

$stmt = $dbConnection->prepare('SELECT * FROM members WHERE FirstName LIKE ? OR LastName LIKE ? OR FIRM LIKE ? OR Country LIKE ? OR CITY LIKE ? OR STATE LIKE ?');


if($_POST['FirstName_S'] !== ''){
  $stmt->bind_param('FirstName', '%'.$_POST['FirstName_S'].'%');
} else {
  $stmt->bind_param('FirstName', '%');
}

… // do this for all your parameters

$stmt->execute();

解决方案5
 0  2013-08-12 17:25:54

I think this could help you: 我认为这可以帮助您: 

if(isset($_POST)){
    $sql = "SELECT * FROM members";

 if($_POST['FirstName_S'] !== ''){
    $sql .= " WHERE FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
 }
 else {
   $sql .= " WHERE FirstName LIKE '%'";
 }
 if($_POST['LastName_S'] !== ''){
    $sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
 }
 if($_POST['Firm_S'] !== ''){
    $sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
 }
 if($_POST['Country_S'] !== ''){
    $sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
 }
 if($_POST['City_S'] !== ''){
    $sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
 }
 if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
    $sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
 }

} }

and for the SQL injections, you can check General_Twyckenham comment. 对于SQL注入,您可以检查General_Twyckenham注释。

解决方案6
 0  2013-08-12 18:05:08

You could compose the WHERE command based on what parameters is entered... 您可以根据输入的参数编写WHERE命令。 

if(isset($_POST)){
    $sql_where = '';
    $sql = "SELECT * FROM members ";

    if($_POST['FirstName_S'] !== ''){
        $sql_where .= (($sql_where != '')?('OR '):(''))." FirstName LIKE '%" . $_POST['FirstName_S'] . "%' ";
    }
    if($_POST['LastName_S'] !== ''){
        $sql_where .= (($sql_where != '')?('OR '):(''))." LastName LIKE '%" . $_POST['LastName_S'] . "%' ";
    }
    if($_POST['Firm_S'] !== ''){
        $sql_where .= (($sql_where != '')?('OR '):(''))." Firm LIKE '%" . $_POST['Firm_S'] . "%' ";
    }
    if($_POST['Country_S'] !== ''){
        $sql_where .= (($sql_where != '')?('OR '):(''))." Country LIKE '%" . $_POST['Country_S'] . "%' ";
    }
    if($_POST['City_S'] !== ''){
        $sql_where .= (($sql_where != '')?('OR '):(''))." City LIKE '%" . $_POST['City_S'] . "%' ";
    }
    if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
        $sql_where .= (($sql_where != '')?('OR '):(''))." State LIKE '%" . $_POST['State_S'] . "%' ";
    }
    $sql .= (($sql_where != '')?('WHERE '.sql_where):(''));
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SQL条件查询表 - Sql conditional query on table 表的条件sql查询 - conditional sql query for tables SQL的条件连接查询结果 - Conditional Concatenation of SQL Query results 动态创建一个SQL查询 - creating a sql query dynamically 使用复选框创建SQL查询 - Creating a SQL Query with checkboxes 协助创建 SQL 查询 - assistance creating a SQL Query 创建插入的条件SQL select语句 - Creating a conditional SQL select statement that inserts 使用.getJSON传递变量进行条件SQL查询 - Passing a variable using .getJSON for conditional SQL Query PHP和SQL多重/条件过滤器查询 - PHP and SQL multiple/conditional filters query 基本PHP-SQL查询中的条件串联 - Basic PHP - Conditional Concatenation Within SQL Query
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM