在最小值和最大值之间mysqli
[英]Between min and max value mysqli
问题描述
I have to create a PHP web page with two text fields in which the user can enter minimum and maximum item prices from a SQL database. 
我必须创建一个包含两个文本字段的PHP网页,用户可以在其中输入SQL数据库中的最低和最高商品价格。 So I have items with prices. 所以我有带价格的物品。 For example, if a user wants to see items between the prices 4 and 15, he can submit it and then it will show only the items in that price range. 例如,如果用户希望查看价格在4到15之间的商品,则可以提交该商品,然后它将仅显示该价格范围内的商品。 How can I do this? 我怎样才能做到这一点? How to echo this? 如何回应呢?
Thank you! 谢谢!
I have this so far: 到目前为止,我有:
$min=$_POST["minimum"];
$max=&$_POST["maximum"];
$result = mysqli_query($con,"SELECT * FROM items WHERE selling price BETWEEN {$min}+1 AND {$max}");
3 个解决方案
解决方案1
1 2014-10-09 15:31:29
Apart from a major SQL Injection issue, your script is looking fine. 除了主要的SQL注入问题外,您的脚本看起来还不错。 Just some small typs and syntax errors. 只是一些小的错误和语法错误。 Compare this one to yours: 将此与您的比较:
$min=(int)$_POST["minimum"];
$max=(int)$_POST["maximum"];
$result = mysqli_query($con,"SELECT * FROM items WHERE selling_price BETWEEN {$min}+1 AND {$max}");
So, what did I change? 那么,我做了什么改变?
- At least cast posted values to int to remove the chance of anyone injecting malicious SQL code into your query. 至少将发布的值强制转换为int,以消除任何人向您的查询中注入恶意SQL代码的机会。 You should use proper escaping in the future 您以后应该使用适当的转义
- You dont need to add the
&character before in line two.您无需在第二行之前添加&字符。 You dont need to assign the value by reference.您不需要通过引用分配值。 just assign the plain old way 只是分配普通的旧方法 - column and table names can not conain spaces in MySQL. 列名和表名不能包含MySQL中的空格。 Are you sure that is the correct name of the column? 您确定这是该列的正确名称吗? Maybe there was an underscore? 也许有下划线?
解决方案2
0 2014-10-09 15:39:31
One of the many safer and simpler ways of doing that would be 这样做的许多更安全,更简单的方法之一是
$dsn = "mysql:dbname=test;host=127.0.0.1";
$dbh = new PDO($dsn, 'username', 'password');
if(isset($_POST["minimum"]) && isset($_POST["maximum"]))
{
$min=floatval($_POST["minimum"]); //+1 is not needed
$max=floatval($_POST["maximum"]);
$sth = $dbh->prepare("SELECT * FROM items WHERE selling_price BETWEEN ? AND ?");
$sth->execute(array($min,$max));
while($row = $sth->fetch(PDO::FETCH_OBJ))
{
print_r($row);
}
}
解决方案3
-1 2014-10-09 15:33:56
That should do the trick for you: 那应该为您解决问题:
if(isset($_POST['minimum'])){
$min = $_POST['minimum'];
}else{
$min = '';
}
if(isset($_POST['maximum'])){
$max = $_POST['maximum'];
}else{
$max = '';
}
$sql = "SELECT * FROM item WHERE selling_brice > '$min' AND selling_price < '$max'";
$query = mysqli_query($con, $sql);
$count = mysqli_num_rows($query);
if($query == true && $count > 0 ){
while ($row = mysqli_fetch_assoc($query)){
$price .= $row['selling_price'];
$price .= '<br />'
}
echo $price;
}else{
echo "NO results to Display";
}
Ofcourse this is not the best programing mysql injections, your query uses * etc....but this should work. 当然,这不是最佳的mysql注入编程方法,您的查询使用*等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.