PHP搜索MySQL数据库-多个搜索变量

Question

For all those that care, the if not empty statement worked for me

I'm new to SQL and PHP and am trying to implement a search functionality to grab data from a MySQL database that deals with wines.

I have figured out how to do a query where there is one search variable, and I have figured out how to do it with two search variables, i'm sure i could continue on that pattern - but what i'd like to do is implement a search function that can search based on what the user inputs into the variables (That means, the user must enter at least one value, and the search will grab fields relevant to the search variable).

Say for example I have these search variables:

• wine name - (user can leave this blank or enter a value)
• wine type - (user enters a value)
• year - (user can leave this blank or enter a value)

Based on how many variables the user enters will dictate how refined the search is.

I've tried searching the forums but can't seem to find anything. Apologies if my formatting, or question is wrong. Would appreciate any help or a point in the right direction, thanks!

Here is my code so far that works if the user enters both variables 'wineName' and 'wineryName'. Tried using isset to trigger some sort of switch, but i don't think i'm on the right track.

<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html401/loose.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <title>Answer Page</title>
</head>
<body bgcolor="white">

<?php 

    function showerror() {
        die("Error " . mysql_errno() . " : " . mysql_error());
    }

    require 'db.php';

    // Show all wines in a region in a <table>
    function displayWines($connection, $query, $wineName) {
    // Run the query on the server
        if (!($result = @ mysql_query ($query, $connection))) {
            showerror();
        }

    // Find out how many rows are available
        $rowsFound = @ mysql_num_rows($result);

        // If the query has results ...
        if ($rowsFound > 0) {
            // ... print out a header
            print "You searched for $wineName with a region of $wineryName <br><br>";

            // and start a <table>.
            print "\n<table>\n<tr>" .
                "\n\t<th>Wine ID</th>" .
                "\n\t<th>Wine Name</th>" .
                "\n\t<th>Winery Name</th>" . 
                "\n\t<th>Year</th>\n</tr>"; 

            // Fetch each of the query rows
            while ($row = @ mysql_fetch_array($result)) {
            // Print one row of results
            print "\n<tr>\n\t<td>{$row["wine_id"]}</td>" .
                "\n\t<td>{$row["wine_name"]}</td>" .
                "\n\t<td>{$row["winery_name"]}</td>" .
                "\n\t<td>{$row["year"]}</td>\n</tr>"; 
            } //end while loop body

            //finish table 
            print "\n</table>"; 
        } //end if $rowsFound body 

        //Report how many rows were found
        print "<br>{$rowsFound} records found matching your criteria<br>"; 
    } //end of function

    // Connect to the MySQL server
    if (!($connection = @ mysql_connect(DB_HOST, DB_USER, DB_PW))) {
        die("Could not connect");
    }

    //get user data 
    $wineName = $_GET['wineName']; 
    $wineryName = $_GET['wineryName'];

    if (!mysql_select_db(DB_NAME, $connection)) {
        showerror();
    }

    //start a query 
    $query = "SELECT wine_id, wine_name, winery_name, year 
    FROM wine, winery 
    WHERE wine.winery_id = winery.winery_id"; 

    if (isset($wineName)) {
        $query .= " AND wine_name = '{$wineName}'";
    }

    if (isset($wineryName)) {
        $query .= " AND winery_name = '{$wineryName}'";
    }

    //order the list 
    $query .= " ORDER BY wine_name"; 

    //run query, show results 
    displayWines($connection, $query, $wineName); 

?>

</body>
</html>

Answer 1

First of all, change your INPUT 's names to an array, eg

<input name="wine[wineName]" ...>
<input name="wine[wineryName]" ...>

Now you have to change the way you get the user data:

// Define an array of allowed fields ("whitelist")
$fields = array('wineName', 'wineryName');
// Get the fields given by the user
$wine = array();
foreach($fields as $field)
    if (isset($_GET['wine'][$field]))
        $wine[$field] = mysql_real_escape_string($_GET['wine'][$field]);

// ... your code here ...

//start a query
$query = "SELECT wine_id, wine_name, winery_name, year 
FROM wine, winery 
WHERE wine.winery_id = winery.winery_id";

foreach ($wine as $field => $value) $query .= " AND ".$field." = '".$value."'";

One important hint: NEVER use user given input in your query without escaping! (see http://php.net/manual/en/function.mysql-real-escape-string.php )

Answer 2

//start a query 
$query = "SELECT wine_id, wine_name, winery_name, year 
FROM wine, winery 
WHERE wine.winery_id = winery.winery_id"; 

if (isset($wineName)) {
    $query .= " AND wine_name LIKE '%$wineName%'";
}

if (isset($wineryName)) {
    $query .= " AND winery_name LIKE '%$wineryName%'";
}

//order the list 
$query .= " ORDER BY wine_name"; 

//run query, show results 
displayWines($connection, $query, $wineName); 

Answer 3

Please have a look at the following lines:

print "\n<tr>\n\t<td>{$row["wine_id"]}</td>" .
      "\n\t<td>{$row["wine_name"]}</td>" .
      "\n\t<td>{$row["winery_name"]}</td>" .
      "\n\t<td>{$row["year"]}</td>\n</tr>"; 

It should be

print "\n<tr>\n\t<td>{$row['wine_id']}</td>" .
      "\n\t<td>{$row['wine_name']}</td>" .
      "\n\t<td>{$row['winery_name']}</td>" .
      "\n\t<td>{$row['year']}</td>\n</tr>"; 

instead. Your double quotes for the array key are closing your string.

Note:

Because your tutor has said to use the deprecated mysql_* functions you can't do much about it. But please bear in mind, that you better should use parameterized prepared statements and bind your input values to the parameters (with PDO or mysqli).