[英]PHP/MSSQL - Filtering from User Input (HTML)
I have been given this assignment, to include some sort of filtering to my current SQL query via User Input. 我已获得此分配,以通过用户输入对当前的SQL查询进行某种过滤。 Basically, i am looking for a filtering option, whether its some kind of menu or button, really doesn't matter. 基本上,我正在寻找筛选选项,无论是某种菜单还是按钮,都没有关系。 My mssql is as follows: 我的mssql如下:
SELECT TOP 10 Test_Database.Distributor, Test_Database.Value
FROM Test_Database
WHERE Test_Database.Week = '(USER INPUT GOES HERE)'
GROUP BY Distributor
ORDER BY Value desc
How can i make the WHERE
statement a User Input? 如何使WHERE
语句成为用户输入? For instance.. A client wants to see the given value of some distributor, but in the week/month/year of the clients choice. 例如,客户希望看到某个分销商的给定值,但要查看客户选择的周/月/年。
Regards 问候
im not sure but maybe you can try. 我不确定,但也许您可以尝试。
<input type="text" name="week"/>
Post this textbox value in select page and set that value in where close. 在选择页面中发布此文本框值,然后在关闭位置设置该值。
You can do that simply by introducing if else statement
$where = "";
//receive filter option example $_GET['week']
//Do some sanitizing for $_GET['week']
if ($_GET['week']) {
$where = "WHERE Test_Database.Week = $_GET['week']"
} else if (somecondition) {
$where = "some query";
}
//You can add multiple condition by concatenating $where, but make sure where not repeats //您可以通过串联$ where来添加多个条件,但要确保在哪里不重复
$query = "SELECT TOP 10 Test_Database.Distributor, Test_Database.Value
FROM Test_Database
$where
GROUP BY Distributor
ORDER BY Value desc "
there should not be ANY data from user in sql query sql查询中不应有来自用户的任何数据
that did not pass filter 没有通过过滤器
sql-injection is not an empty word sql-injection不是一个空词
so no $_GET['week'] in sql if you didn't clear it 因此,如果您不清除,则在SQL中没有$ _GET ['week']
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.