查询多列php / mysql
[英]query multiple columns php/mysql
问题描述
new to php and am enrolled on a course, so can ask tutor tomorrow if this is more complicated than i think it might be! 
我刚接触过一个课程,所以如果这比我认为的更复杂,可以问明天的导师!
I have an sql query, and it works fine. 我有一个SQL查询,它工作正常。 But I am trying to add and 'and' in the select statement. 但我试图在select语句中添加'和'。
This is what I have at the minute 这就是我现在所拥有的
$query = "SELECT * from table1 where table1.age <= " . $_POST['min_age'] ;
I have a 'region' input on my linked html page and want results to be returned only if the min_age and region values match those inputted by the user. 我在链接的html页面上有一个“区域”输入,并且只有当min_age和region值与用户输入的值匹配时才希望返回结果。
I have tried adding an 'and where' but it doesn't work and I am not sure if it is because of the multiple "'s or if what I am trying to do needs a different method? 我已经尝试添加'和哪里'但它不起作用我不确定它是否是因为多个“或者我想要做什么需要不同的方法?
Thanks 谢谢
1 个解决方案
解决方案1
2 2013-10-23 18:38:46
If you need multiple conditions, just separate them with AND : 如果您需要多个条件,只需用AND分隔它们:
... WHERE table1.age <= ? AND table1.region = ?
No need to use WHERE again. 无需再次使用WHERE 。 Just like you wouldn't need to use if() more than once if you were writing a complex condition in PHP. 就像你在PHP中编写复杂条件一样,你不需要多次使用if() 。
PS: This isn't directly related to your question, but you should get into the habit of not putting $_POST or $_GET variables directly into your SQL queries. PS:这与你的问题没有直接关系,但是你应该养成不将$ _POST或$ _GET变量直接放入SQL查询的习惯。 It's a good way to get hacked! 这是一个被黑客入侵的好方法! Ask your tutor about "SQL injection," or read my presentation SQL Injection Myths and Fallacies . 向你的导师询问“SQL注入”,或者阅读我的演示文稿SQL Injection Myths and Fallacies 。
I know you're just starting out, but if you were training to be an electrician, you would place a high priority on learning how to avoid being electrocuted or how to avoid causing a fire. 我知道你刚刚开始,但如果你正在接受培训成为一名电工,你会高度重视学习如何避免触电或如何避免引起火灾。
Here's how I would write your query using mysqli. 以下是我使用mysqli编写查询的方法。 One advantage of using query parameters is you never need to worry about where you start and end your quotes. 使用查询参数的一个优点是您永远不必担心开始和结束报价的位置。
$query = "SELECT * from table1 where table1.age <= ? AND table1.region = ?";
$stmt = $mysqli->prepare($query) or trigger_error($mysqli->error, E_USER_ERROR);
$stmt->bind_param("is", $_POST["min_age"], $_POST["region"]);
$stmt->execute() or trigger_error($stmt->error, E_USER_ERROR);
The other good habit I'm showing here is to always report if prepare() or execute() return an error. 我在这里展示的另一个好习惯是始终报告prepare()或execute()是否返回错误。
If you must interpolate variables into your SQL, first make sure you protect the variables either by coercing the value to an integer, or else by using a proper escaping function like mysqli_real_escape_string(). 如果必须将变量插入到SQL中,首先要确保通过将值强制转换为整数来保护变量,或者通过使用正确的转义函数(如mysqli_real_escape_string())来保护变量。 Don't put $_POST variables directly into the string. 不要将$ _POST变量直接放入字符串中。 Also you don't have to stop and restart the quotes if you use PHP's syntax for embedding variables directly in double-quoted strings: 如果使用PHP的语法直接在双引号字符串中嵌入变量,也不必停止并重新启动引号:
$age = (int) $_POST["min_age"];
$region = $mysqli->real_escape_string($_POST["region"]);
$query = "SELECT * from table1 where table1.age <= {$age}
AND table1.region = '{$region}'";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.