如何构建动态SQL查询?
[英]How do I build a dynamic SQL query?
问题描述
Right, so I have a set of dropdowns on my page. 
是的,所以我的页面上有一组下拉菜单。 Depending on whether a value is selected, I want to add it to an SQL query string in PHP. 根据是否选择了值,我想将其添加到PHP中的SQL查询字符串中。 Example: 例:
select1: options("*" "op1", "op2)
select2: options("*" "op1", "op2)
select3: options("*" "op1", "op2)
'*' refers to anything. '*'指任何东西。 ie the data should not be filtered by that query option. 即不应该通过该查询选项过滤数据。 Now, how do I build the query for this quickly and simply? 现在,如何快速简单地构建查询? Currently, I have something like this: 目前,我有这样的事情:
$query='';
$found=0;
$op1=$_POST['select1'];
$op2=$_POST['select2'];
$op3=$_POST['select3'];
if($op1!='*')
{
$found=1;
$op1="'".$op1."'";
$query="WHERE op1=$op1 ";
}
if($op2!='*')
{$op2="'".$op2."'";
if($found==1)
{
$query=$query. "AND op2=$op2 ";
}
else{
$found=1;
$query="WHERE op2=$op2 ";
}
}
if($op3!='*')
{$op3="'".$op3."'";
if($found==1)
{
$query=$query. "AND op3=$op3 ";
}
else{
$found=1;
$query="WHERE op3=$op3 ";
}
}
Now, obviously, this is quite annoying to implement. 现在,显然,实施起来非常烦人。 Is there any easier method? 有没有更简单的方法?
Thanks. 谢谢。
2 个解决方案
解决方案1
2 已采纳 2010-02-13 17:46:29
I would have used a class MyQueryBuilder with following methods probably.. 我可能会使用MyQueryBuilder类以下方法。
AddSelectionColumn(String ColumnName, string Alias)
AddTableSource(String TableName, String Alias)
AddTableJoin(String Table1, String Alias1, String Table2, String Alias2, String Col1, String Col2, JoinType Join)
AddFilterCondition(String ColumnName, String Alias, String Condition)
It might give a better control on the code... 它可以更好地控制代码......
解决方案2
0 2010-02-13 18:03:24
I do a lot of this in my perl CGI scripts, and this is how I format it for simplicity / readability: 我在perl CGI脚本中做了很多这个,这就是我为简单/可读性而格式化的方法:
First, I use a separate variable for the where clause, and always set a condition of 1 = 1 so all subsequent conditions are "and" conditions: 首先,我为where子句使用单独的变量,并始终设置1 = 1的条件,因此所有后续条件都是“和”条件:
my $whereClause =<<ENDWHERESQL;
where
1 = 1
ENDWHERESQL
if ( $op1 ne "*" ) { $whereClause .= " and op1 = '".safeSQL($op1)."'\n"; }
if ( $op2 ne "*" ) { $whereClause .= " and op2 = '".safeSQL($op2)."'\n"; }
if ( $op3 ne "*" ) { $whereClause .= " and op3 = '".safeSQL($op3)."'\n"; }
then I use a simple function to protect against simple SQL injection attacks, because even though you are using drop down lists - someone could still put a "?op1=(evil sql)" on the end of your URL, and it might get through your form into your query: 然后我使用一个简单的函数来防止简单的SQL注入攻击,因为即使你使用下拉列表 - 有人仍然可以在你的URL的末尾添加“?op1 =(邪恶的sql)”,它可能会通过您的表单进入您的查询:
#******************************************************************************
# Function: safeSQL()
# Author: Ron Savage
# Date: 04/22/2009
#
# Description:
# This removes update,create,drop,deletes from SQL.
#******************************************************************************
sub safeSQL
{
my $cmd;
my ( $inText,$commandList ) = @_;
if (!defined($commandList)) { $commandList = "create,delete,select,update,dele,drop,exec,insert"; }
foreach $cmd (split(/\,/,$commandList))
{
$inText =~ s/ $cmd |^$cmd /** no_${cmd}_allowed! **/gi;
}
return($inText);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.