简化mysql过滤查询
我正在为选角经理构建一个平台来对演员进行分类并能够浏览它们。我的表“演员”设置了名字、姓氏、电子邮件、电话、地址等。
我有一个 browser.php 页面,其中有一个用于过滤结果的表单。这是我的类,我需要帮助简化以及在字段为空时消除通配符结果。
我将表单数据传递到数组 $search 中,该类检查数组部分是否已填充并写入 SQL 查询。
public function getActors($search) {
if(isset($search)) {
if($search["first_name"] == NULL) { $first_name = "LIKE '%'"; } else { $first_name = "LIKE '".$search["first_name"]."'"; }
if($search["last_name"] == NULL) { $last_name = "LIKE '%'"; } else { $last_name = "LIKE '".$search["last_name"]."'"; }
if($search["gender"] == NULL) { $gender = "LIKE '%'"; } else { $gender = " = '".$search["gender"]."'"; }
if($search["address_state"] == NULL) { $address_state = "LIKE '%'"; } else { $address_state = " = '".$search["address_state"]."'"; }
if($search["ethnicity"] == NULL) { $ethnicity = "LIKE '%'"; } else { $ethnicity = " = '".$search["ethnicity"]."'"; }
if($search["status"] == NULL) { $status = "LIKE '%'"; } else { $status = " = '".$search["status"]."'"; }
$sql = "SELECT * FROM actor WHERE
first_name ".$first_name." AND
last_name ".$last_name." AND
gender ".$gender." AND
address_state ".$address_state." AND
ethnicity ".$ethnicity." AND
status ".$status."
";
} else {
$sql = "SELECT * FROM actor";
}
$s = mysql_query($sql) or die (mysql_error());
$numrows = mysql_num_rows($s);
for($x=0; $x < $numrows; $x++){
$actorArray[$x] = mysql_fetch_row($s);
}
return $actorArray;
}
对简化这个有什么帮助或建议吗?
I'm building a platform for a casting manager to catalog Actors and be able to browse them. My table 'actor' is set up with first name, last name, email, phone, address etc.
I have a browse.php page which has a form to filter results. Here's my class that I need help simplifying as well as getting rid of the wild card result when a field is null.
I pass through the form data into an array, $search, and the class checks if the array section is filled and writes to the SQL query.
public function getActors($search) {
if(isset($search)) {
if($search["first_name"] == NULL) { $first_name = "LIKE '%'"; } else { $first_name = "LIKE '".$search["first_name"]."'"; }
if($search["last_name"] == NULL) { $last_name = "LIKE '%'"; } else { $last_name = "LIKE '".$search["last_name"]."'"; }
if($search["gender"] == NULL) { $gender = "LIKE '%'"; } else { $gender = " = '".$search["gender"]."'"; }
if($search["address_state"] == NULL) { $address_state = "LIKE '%'"; } else { $address_state = " = '".$search["address_state"]."'"; }
if($search["ethnicity"] == NULL) { $ethnicity = "LIKE '%'"; } else { $ethnicity = " = '".$search["ethnicity"]."'"; }
if($search["status"] == NULL) { $status = "LIKE '%'"; } else { $status = " = '".$search["status"]."'"; }
$sql = "SELECT * FROM actor WHERE
first_name ".$first_name." AND
last_name ".$last_name." AND
gender ".$gender." AND
address_state ".$address_state." AND
ethnicity ".$ethnicity." AND
status ".$status."
";
} else {
$sql = "SELECT * FROM actor";
}
$s = mysql_query($sql) or die (mysql_error());
$numrows = mysql_num_rows($s);
for($x=0; $x < $numrows; $x++){
$actorArray[$x] = mysql_fetch_row($s);
}
return $actorArray;
}
Any help on simplifying this or suggestions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
对于条件,我可以使用 foreach 循环。
for the conditions, I you can use a foreach loop.
怎么样(在
isset块内)...正如 @Dvir 所提到的,最好在 SQL 语句中使用位置参数。
What about (within the
issetblock)...And as mentioned by @Dvir, it's better to use positional parameters in your SQL statements.
喜欢“%”?严重地?如果特定子句为空,为什么不直接不包含它呢?此外,您的查询容易受到SQL 注入的攻击。
阅读有关 SQL 注入的内容后,您可以通过遍历 $search 数组、添加特定子句并绑定参数来添加 WHERE 子句。
LIKE '%'? seriously? why not just don't include the specific clause if it's null?Also, your query is vulnerable to SQL injections.
After reading about SQL injections, you can just add the WHERE clauses by going over the $search array, adding the specific clause, and binding the parameter.