[英]Creating conditional sql query
I am having a problem getting a query to work (and also am questioning the security of the query). 我在使查询正常工作时遇到了问题(也对查询的安全性提出了质疑)。
if(isset($_POST)){
$sql = "SELECT * FROM members WHERE";
if($_POST['FirstName_S'] !== ''){
$sql .= " FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
if($_POST['LastName_S'] !== ''){
$sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
}
}
Obviously, if FirstName_S is undefined, the query breaks saying "WHERE OR". 显然,如果FirstName_S未定义,查询将中断并显示“ WHERE OR”。 It seems like it would have a logical fix, but I've been staring at it for a little too long. 似乎有一个合理的解决方法,但我盯着它看了太久了。
Also, sql injection was brought up as a concern, and as a side-question, would sanitizing the input be enough? 另外,SQL注入引起了人们的关注,并且作为一个附带问题,对输入进行处理是否足够? Or is this altogether bad practice? 还是这完全是不好的做法?
if(isset($_POST)){
$sql = "SELECT * FROM members WHERE";
if($_POST['FirstName_S'] !== ''){
$sql .= "OR FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
if($_POST['LastName_S'] !== ''){
$sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
}
$sql=str_replace("WHERE OR","WHERE",$sql); // quick dirty fix
}
Ofcourse you'd need to sanitize the input, but since you didn't mention which MySQL API you use, I did not add any sanitization functions yet. 当然,您需要清理输入,但是由于您没有提到要使用哪个MySQL API,因此我还没有添加任何清理功能。 You can look at http://php.net/mysqli_real_escape_string 您可以看一下http://php.net/mysqli_real_escape_string
do it other way as follow 按照其他方式做
if(isset($_POST)){
$sql = "SELECT * FROM members WHERE";
if($_POST['FirstName_S'] !== ''){
$sql_arr[]=" FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
if($_POST['LastName_S'] !== ''){
$sql_arr[]= " LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql_arr[]= " Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql_arr[]= " Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql_arr[]= " City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql_arr[]= " State LIKE '%" . $_POST['State_S'] . "%'";
}
if(!empty($sql_arr)){
$sql.=implode(' OR ',$sql_arr);
}
}
The quick fix is to add 1=1
to your query, so your query ends with WHERE 1=1
. 快速解决方案是向查询中添加1=1
,因此您的查询以WHERE 1=1
结尾。 That allows you to be free to append any number of OR something
to your query, without being concerned with omitting the OR
on the first one. 这样一来,您就可以自由地向查询中添加任意数量的OR something
,而不必担心在第一个查询中省略OR
。
(That 1=1 predicate doesn't cause any problem; that will be evaluated at parse time, and doesn't appear in the execution plan.) (1 = 1谓词不会引起任何问题;它将在解析时进行评估,并且不会出现在执行计划中。)
As to SQL Injection, yes, this code is susceptible. 对于SQL注入,是的,此代码易受攻击。 If you are using mysql interface, then sanitize the post variables with mysql_real_escape_string
function. 如果使用的是mysql接口,请使用mysql_real_escape_string
函数mysql_real_escape_string
post变量。 If you are using mysqli or PDO (and you should be), then use parameterized queries. 如果您正在使用mysqli或PDO(应该使用),则使用参数化查询。
$stmt = $dbConnection->prepare('SELECT * FROM members WHERE FirstName LIKE ? OR LastName LIKE ? OR FIRM LIKE ? OR Country LIKE ? OR CITY LIKE ? OR STATE LIKE ?');
if($_POST['FirstName_S'] !== ''){
$stmt->bind_param('FirstName', '%'.$_POST['FirstName_S'].'%');
} else {
$stmt->bind_param('FirstName', '%');
}
… // do this for all your parameters
$stmt->execute();
I think this could help you: 我认为这可以帮助您:
if(isset($_POST)){
$sql = "SELECT * FROM members";
if($_POST['FirstName_S'] !== ''){
$sql .= " WHERE FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
else {
$sql .= " WHERE FirstName LIKE '%'";
}
if($_POST['LastName_S'] !== ''){
$sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
}
} }
and for the SQL injections, you can check General_Twyckenham comment. 对于SQL注入,您可以检查General_Twyckenham注释。
You could compose the WHERE command based on what parameters is entered... 您可以根据输入的参数编写WHERE命令。
if(isset($_POST)){
$sql_where = '';
$sql = "SELECT * FROM members ";
if($_POST['FirstName_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." FirstName LIKE '%" . $_POST['FirstName_S'] . "%' ";
}
if($_POST['LastName_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." LastName LIKE '%" . $_POST['LastName_S'] . "%' ";
}
if($_POST['Firm_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." Firm LIKE '%" . $_POST['Firm_S'] . "%' ";
}
if($_POST['Country_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." Country LIKE '%" . $_POST['Country_S'] . "%' ";
}
if($_POST['City_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." City LIKE '%" . $_POST['City_S'] . "%' ";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql_where .= (($sql_where != '')?('OR '):(''))." State LIKE '%" . $_POST['State_S'] . "%' ";
}
$sql .= (($sql_where != '')?('WHERE '.sql_where):(''));
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.