当前位置: 文江博客话题详情

PHP 中的基本 SQL Select 语句格式

发布于 2024-10-22 00:46:00 字数 548 浏览 2 评论 0原文

我有一个可搜索的众议院和参议院数据库,我只想制作一个可以搜索该数据库的简单网页。唯一的问题是,虽然我可以轻松编写 SQL select 语句,但如何正确格式化它们以便在 PHP 中使用?

例如,这是我按州选择参议员的单选按钮:

$sql = "";
if ($_POST['pkChamber'] == "Senate") {
    if ($_POST['pkParty'] == "Y") {
        $sql = SELECT * FROM senateinfo
               WHERE state =  (Variable = "stname")
               ORDER BY last_name, first_name');
    }
    else
    {
        $sql = SELECT * FROM senateinfo
               WHERE state =  (Variable = "stname")
               ORDER BY last_name, first_name
    }
}
原文

I have a searchable database of the House and Senate and I just want to make a simple web page that can search this database. The only problem is, while I'm comfortable writing SQL select statements, how do I properly format them for use in PHP?

For example, here's my radio button to select Senators by state:

$sql = "";
if ($_POST['pkChamber'] == "Senate") {
    if ($_POST['pkParty'] == "Y") {
        $sql = SELECT * FROM senateinfo
               WHERE state =  (Variable = "stname")
               ORDER BY last_name, first_name');
    }
    else
    {
        $sql = SELECT * FROM senateinfo
               WHERE state =  (Variable = "stname")
               ORDER BY last_name, first_name
    }
}

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

一世旳自豪 2024-10-29 00:46:00

我不确定你在要求什么,但我有一个动态构建 WHERE 语句的可靠且安全的方法的好例子:

$w     = array();
$where = '';

if (!empty($_GET['rooms']))     $w[]="rooms='".mysql_real_escape_string($_GET['rooms'])."'";
if (!empty($_GET['space']))     $w[]="space='".mysql_real_escape_string($_GET['space'])."'";
if (!empty($_GET['max_price'])) $w[]="price < '".mysql_real_escape_string($_GET['max_price'])."'";

if (count($w)) $where = "WHERE ".implode(' AND ',$w);
$query = "select * from table $where";

希望这会有所帮助。

I am not sure what you're asking for, But I have a good example of reliable and safe way for building WHERE statement dynamically:

$w     = array();
$where = '';

if (!empty($_GET['rooms']))     $w[]="rooms='".mysql_real_escape_string($_GET['rooms'])."'";
if (!empty($_GET['space']))     $w[]="space='".mysql_real_escape_string($_GET['space'])."'";
if (!empty($_GET['max_price'])) $w[]="price < '".mysql_real_escape_string($_GET['max_price'])."'";

if (count($w)) $where = "WHERE ".implode(' AND ',$w);
$query = "select * from table $where";

Hope this helps.

回复 原文
热风软妹 2024-10-29 00:46:00

你的查询看起来不错。我认为您只需要了解 PHP 中字符串解析的一些细节即可。

当您使用双引号 (") 括住字符串时,PHP 实际上会尝试解析它,查找变量和/或其他要首先处理的 php 代码。类似这样:

$sql = "SELECT * FROM table WHERE state = '{$state}' AND user = {$user->id}";

PHP 会用 $state 替换该变量中定义的内容对于在该类中实例化的任何用户的 id 也是如此(此外,您不必将简单变量包装在 {} 中。它确实有助于提高可读性,但仅对类方法/变量是必需的。)

如果您使用单引号 (') 来括起一个字符串,PHP 只是将其视为正常的。 对于上面的查询,我建议将其括在单引号中,如下所示:

$sql = 'SELECT * FROM senateinfo WHERE state =  (Variable = "stname") ORDER BY last_name, first_name)';

如果稍后要在此查询中使用变量,那么您将需要。 这样,当您所做

$sql = "SELECT * FROM senateinfo WHERE state =  (Variable = \"stname\") ORDER BY last_name, first_name)";

的只是粘贴查询时,PHP 就不会错误地认为您试图错误地连接字符串。

Your query seems fine. I think you just need to understand some of the finer points of string parsing in PHP.

When you use double quotations (") to enclose a string, PHP actually will try to parse it looking for variables and/or other php code to process first. Something like this:

$sql = "SELECT * FROM table WHERE state = '{$state}' AND user = {$user->id}";

PHP will substitute out $state for whatever is defined in that variable and the same for the id of whatever user is instantiated in that class. (Also, you don't have to wrap your simple variables in {}. It does help with readability but is only required for class methods/variables.)

If you use single quotes (') to enclose a string, PHP simply treats it like normal. For your above query, I would suggest enclosing it in single quotes like this:

$sql = 'SELECT * FROM senateinfo WHERE state =  (Variable = "stname") ORDER BY last_name, first_name)';

If you want to use variables later on in this query, then you will need to escape the double quotations that are in there like this:

$sql = "SELECT * FROM senateinfo WHERE state =  (Variable = \"stname\") ORDER BY last_name, first_name)";

This way, PHP doesn't error out thinking you were trying to concatenate strings incorrectly when all you were doing was pasting a query.

回复 原文
不打扰别人 2024-10-29 00:46:00

您需要一次专注于一个问题。

尽量避免在 PHP 中编写 SQL,直到您清楚地掌握 PHP 中的字符串以及如何将变量注入到这些字符串中。所以:

阅读 PHP 中的字符串引用(双引号与单引号,是的,HEREDOC)

阅读 PHP 中字符串中的变量(请注意,如果它没有 $ 美元符号,则它是一个常量,而不是一个字符串变量。从应该使用它们的 $strings 和 $variables 开始,而不是 CONSTANT,只有在没有其他可用的情况下,它们才会转为字符串。)

阅读 PHP 中的绑定 SQL。其他任何事情都会引导您走上SQL 注入之路。如果您的 PHP SQL 中仅使用裸字符串,那么当您最终将 Web 脚本部署到严酷无情的 Internet 时,您就会面临失败。它充满了随时准备利用 SQL 注入脚本的鲨鱼。

这是我每天用来绑定 SQL 的代码示例,以自定义函数为中心,使其变得简单:

query("select * where someTable where someTable_id = :bound_id", array(':bound_id'=>13));

我可以为您提供一个用于创建绑定 SQL 的函数,就像稍后那样(当我实际上在计算机而不是移动设备上时)如果你有兴趣的话。

You need to focus on one issue at a time.

Try to avoid writing SQL in PHP until you've a clear handle on strings in PHP, and how to inject variables into those strings. So:

Read up on string quoting in PHP (double quotes vs. Single quotes, and yes, HEREDOC)

Read up on variables in strings in PHP (note that if it doesn't have a $ dollar sign, it's a CONSTANT, not a string variable. Start off right with $strings and $variables where they're supposed to be used, not CONSTANTs, which only fall back to turn into strings if nothing else is available.)

Read up on binding SQL in PHP. Anything else will lead you down the path of SQL injection. If there are only naked strings used in your PHP SQL, then you are setting yourself up for failure when you finally deploy your web scripts to the harsh and unforgiving Internet. It's full of sharks ready to take advantage of SQL injection prone scripts.

Here is an example of code I use daily to bind SQL, centered around a custom function that makes it easy:

query("select * where someTable where someTable_id = :bound_id", array(':bound_id'=>13));

I can get you a function for creating bound SQL simply like that later (when I'm actually at a computer instead of mobile) if you're interested.

回复 原文
像极了他 2024-10-29 00:46:00

我使用 HEREDOC 来编写重要的查询:

$sql = <<<EOL
SELECT blah, blah, blah
FROM table
WHERE (somefield = {$escaped_value}) ...
ORDER BY ...
HAVING ...
EOL;

Heredocs 的功能就像您执行了常规双引号一样字符串,但好处是没有转义内部引号。变量插值按预期工作,您也可以对文本进行缩进,因此您的查询看起来格式很好

I use HEREDOCs for writing out non-trivial queries:

$sql = <<<EOL
SELECT blah, blah, blah
FROM table
WHERE (somefield = {$escaped_value}) ...
ORDER BY ...
HAVING ...
EOL;

Heredocs function as if you'd done a regular double-quoted string, but with the bonus of not having escape internal quotes. Variable interpolation works as expected, and you can do indentation on the text as well, so your query looks nicely formatted

回复 原文
回心转意 2024-10-29 00:46:00

我总是这样做,以保持它看起来漂亮。

$sql = "SELECT * FROM senateinfo " .
       "WHERE state =  (Variable = "stname") " .
       "ORDER BY last_name, first_name')";

I always do mine like this to keep it looking nice.

$sql = "SELECT * FROM senateinfo " .
       "WHERE state =  (Variable = "stname") " .
       "ORDER BY last_name, first_name')";
回复 原文
~没有更多了~

关于作者

始终不够

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文