[英]MSSQL and PHP Advanced Search Engine not Querying Properly
I have an advanced, yet simple, PHP search engine for my MSSQL table products
. 我有一个用于MSSQL表products
的高级,简单的PHP搜索引擎。 The search engine has three text inputs. 搜索引擎具有三个文本输入。 The first input is for the make
column of the table, the second is for the product_name
column of the table, and the last is for my material
column from the table. 第一个输入用于表的make
列,第二个输入用于表的product_name
列,最后一个输入用于表中的我的material
列。 My problem, from what I can see, is that when I leave two inputs blank and type in valve
, the query should echo SELECT * FROM products WHERE 1=1 AND product_name = 'valve'
. 从我所看到的我的问题是,当我将两个输入留空并输入valve
,查询应回显SELECT * FROM products WHERE 1=1 AND product_name = 'valve'
。 Instead, the query is echoing SELECT * FROM products WHERE 1=1
. 而是,查询回显SELECT * FROM products WHERE 1=1
。 I don't know why that is happening, and I think I could use another set of eyes to figure out this issue. 我不知道为什么会这样,我想我可以用另一组眼睛来解决这个问题。
Here is the full PHP code: 这是完整的PHP代码:
<form action="<?php $_PHP_SELF ?>" method="post">
<input type="text" name="make">
<input type="text" name="parttype">
<input type="text" name="material">
<input type="submit" name="submit">
</form>
<?php
$conn = mssql_connect('gdm','ger','Rr1!');
mssql_select_db('Ggler',$conn);
if (isset($_POST['submit'])) {
$cheack = "";
if(isset($_GET["make"])&&$_GET["make"] != ""){
$make = $_POST['make'];
$cheack.=" AND make = '$make' ";
}
if(isset($_GET["parttype"])&&$_GET["parttype"] != ""){
$parttype = $_POST['parttype'];
$cheack.=" AND product_name = '$parttype' ";
}
if(isset($_GET["material"])&&$_GET["material"] != ""){
$material = $_POST['material'];
$cheack.=" AND material = '$material' ";
}
$DB = "SELECT * FROM products WHERE 1=1 ".$cheack;
$runquery = mssql_query($DB, $conn);
$dad = mssql_fetch_assoc($runquery);
echo "".$DB."";
}else {
echo "No search made"; }
?>
Thank you for any help. 感谢您的任何帮助。 All help is greatly appreciated. 非常感谢所有帮助。
Spot the problem: 发现问题:
<form action="<?php $_PHP_SELF ?>" method="post">
^^^^^
if(isset($_GET["make"])&&$_GET["make"] != ""){
^^^^ ^^^^
As well, you are vulnerable to SQL injection attacks . 同样,您也容易受到SQL注入攻击的攻击 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.