[英]Multiple Search Form in one Submit button PHP/HTML
我正在嘗試創建一個搜索查詢,用戶可以在其中使用名字或姓氏或兩者來搜索數據庫。 我只能使用一種類型的搜索來執行此操作,但是如果同時執行兩種操作,則不確定如何執行此操作。
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Search Contacts</title>
<link href="site.css" rel="stylesheet">
</head>
<body>
<nav id="nav01"></nav>
<div id="main">
<h3>Search Contact Details</h3>
<form method="post" action="#" id="searchform">
First Name:<br>
<input type="text" name="fname">
<br>Last Name:<br>
<input type="text" name="lname">
<br>
<input type="submit" name="submit" value="Search">
</form>
<?php
$servername = "xxx";
$username = "xxx";
$password = "xxx";
$dbname = "xxx";
$myquery = mysqli_real_escape_string($connection,$_POST["fname"]);
$myquery2 = mysqli_real_escape_string($connection,$_POST['lname']);
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
// SQL query
if (!empty($myquery)) {
$sql = "select distinct ID, FirstName, LastName, Email, PhoneNumber
from Userlist where FirstName LIKE '%". $myquery ."%' OR LastName LIKE '%".$myquery2."%'";
//Get query on the database
$result = mysqli_query($conn, $sql);
//Check results
if (mysqli_num_rows($result) > 0)
{
//Headers
echo "<table>";
echo "<tr>";
echo "<th>Image ID</th>";
echo "<th>Lastname</th>";
echo "<th>Firstname</th>";
echo "<th>Email</th>";
echo "<th>PhoneNumber</th>";
echo "</tr>";
//output data of each row
while($row = mysqli_fetch_assoc($result))
{
echo "<tr>";
echo "<td>".$row['ID']."</td>";
echo "<td>".$row['LastName']."</td>";
echo "<td>".$row['FirstName']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td>".$row['PhoneNumber']."</td>";
echo "</tr>";
}
echo "</table>";
} else {
echo "0 results";
}
}
mysqli_close($conn);
?>
<footer id="foot01"></footer>
</div>
<script src="script.js"></script>
</body>
</html>
您可以簡單地使用OR並在ID上進行區分,因此,如果用戶同時搜索FirstName和LastName,則只能獲得1個條目
$myquery = mysqli_real_escape_string($connection,$_POST["fname"]); //<<< change $connection to your connection variable
$myquery2 = mysqli_real_escape_string($connection,$_POST['lname']);
$sql = "select distinct ID, FirstName, LastName, Email, PhoneNumber
from Userlist where FirstName LIKE '%". $myquery ."%' OR LastName LIKE '%".$myquery2."%'";
您應該使用查詢來轉義您在查詢中搜索的所有內容
mysqli_real_escape_string
如上所述,或者您最好使用准備好的陳述
編輯:
這個 :
$myquery = mysqli_real_escape_string($connection,$_POST["fname"]);
$myquery2 = mysqli_real_escape_string($connection,$_POST['lname']);
需要在建立連接之后。 當您使用$ conn進行連接時,需要將其更改為
$myquery = mysqli_real_escape_string($conn,$_POST["fname"]);
$myquery2 = mysqli_real_escape_string($conn,$_POST['lname']);
像這樣:
<?php
$servername = "xxx";
$username = "xxx";
$password = "xxx";
$dbname = "xxx";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
$myquery = mysqli_real_escape_string($conn,$_POST["fname"]);
$myquery2 = mysqli_real_escape_string($conn,$_POST['lname']);
您可以這樣:
<?php
if(strlen($_POST["fname"])>0 AND strlen($_POST["lname"])>0){
$sql = "SELECT ID, FirstName, LastName, Email, PhoneNumber FROM Userlist WHERE FirstName LIKE '%". $_POST["fname"])>."%' AND LastName LIKE '%". $_POST["lname"])>."%'";
}
elseif(strlen($_POST["fname"])>0 AND strlen($_POST["lname"])==0){
$sql = "SELECT ID, FirstName, LastName, Email, PhoneNumber FROM Userlist WHERE FirstName LIKE '%". $_POST["fname"])>."%'";
}
elseif(strlen($_POST["lname"])>0 AND strlen($_POST["fname"])==0){
$sql = "SELECT ID, FirstName, LastName, Email, PhoneNumber FROM Userlist WHERE LastName LIKE '%". $_POST["lname"])>."%'";
}
else{
//No keywords specified
}
?>
您的代碼受到sql注入攻擊,因此我嘗試通過更正使其變得更好。
<h3>Search Contact Details</h3>
<form method="post" action="#" id="searchform">
First Name:<br>
<input type="text" name="fname">
<br>Last Name:<br>
<input type="text" name="lname">
<br>
<input type="submit" name="submit" value="Search">
</form>
<?php
/*USE PDO prepared statement to prevent mysql injection attacks*/
//PDo constructor instantiating instance of database object.
$pdo = PDO('mysql:host=localhost;dbname=YourDatabaseName;charset=utf8', 'YourUserName', 'YourPassword');
//check if something is submitted
if(isset($_POST['submit']) ){
//remove tags from the user input
$fname = strip_tags('%'.$_POST['fname'].'%');
$lname = strip_tags('%'.$_POST['lname'] .'%');
//you need to use the if- conditional to
//check if one or both fields are set
if ( (isset($fname) && !empty($fname)) || (isset($lname) && !empty($lname)) ) {
try{
$sql = "SELECT distinct ID, FirstName, LastName, Email, PhoneNumber
FROM Userlist
WHERE `FirstName` LIKE :FirstName OR `LastName` LIKE :LastName";
//Prepare the statment
$query = $pdo->prepare($sql);
$query->bindParam(':FirstName', $fname, PDO::PARAM_STR);
$query->bindParam(':LastName', $lname, PDO::PARAM_STR);
$query->execute();
$result = $query->fetchAll();
} catch (Exception $e) {
print "Database Problem: " . $e->getMessage();
}
}
//you can use foreach to display the result.
foreach ($result as $res):
echo $rs['FirstName']; //and so on
endforeach;
}
else{
echo 'search for some thing';
}
?>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.