尝试将表单搜索转换为 PDO 查询
Trying to convert form search into PDO query
这是我之前的代码,一个 SO 用户说它容易注入,所以我决定尝试将其转换为与 PDO 一起使用。
if(isset($_POST['q'])) {
$q = $_POST['q'];
$select = $db->query("SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC");
<form method="post">
<input type="text" name="q" /> <input type="submit" name="search" />
</form>
这是我尝试插入的代码:
include 'database.php';
$pdo = Database::connect();
$q = $_POST['q'];
$sql = 'SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC';
if(isset($_POST['q'])) {
foreach ($pdo->query($sql) as $row) {
echo '<tr>';
echo '<td>'. $row['name'] . '</td>';
echo '<td>'. $row['email'] . '</td>';
echo '<td>'. $row['mobile'] . '</td>';
echo '<td width=250>';
echo '<a class="btn" href="read.php?id='.$row['id'].'">Read</a>';
echo ' ';
echo '<a class="btn btn-success" href="update.php?id='.$row['id'].'">Update</a>';
echo ' ';
echo '<a class="btn btn-danger" href="delete.php?id='.$row['id'].'">Delete</a>';
echo '</td>';
echo '</tr>';
}
}
Database::disconnect();
?>
我得到的错误是:
注意:未定义索引:q
警告:除以零
关于为什么会发生这种情况有什么想法吗?
用这个替换你的查询
$sql = "SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC";
您可以通过将条件更改为
来使用您的代码
if(isset($q)){
// your code
}
您收到错误消息,因为 q 不存在,您还没有将其发布到页面。你应该尝试这样的事情:
$pdo = Database::connect();
$q = filter_input(INPUT_POST, 'q', FILTER_SANITIZE_STRING);
if ($q)
{
$query = "SELECT * FROM customers WHERE name LIKE :q OR email LIKE :q ORDER BY ID DESC";
$sth = $pdo->prepare($query);
$sth->bindParam(':q', "%{$q}%", PDO::PARAM_STR);
$sth->execute();
}
The error I get is : Notice: Undefined index: q Warning: Division by zero
这意味着 $_POST['q'] 没有定义你的代码应该是
if(isset($_POST['q'])) {
$pdo = Database::connect();
$q = $_POST['q'];
$sql = 'SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC';
foreach ($pdo->query($sql) as $row) {
echo '<tr>';
echo '<td>'. $row['name'] . '</td>';
echo '<td>'. $row['email'] . '</td>';
echo '<td>'. $row['mobile'] . '</td>';
echo '<td width=250>';
echo '<a class="btn" href="read.php?id='.$row['id'].'">Read</a>';
echo ' ';
echo '<a class="btn btn-success" href="update.php?id='.$row['id'].'">Update</a>';
echo ' ';
echo '<a class="btn btn-danger" href="delete.php?id='.$row['id'].'">Delete</a>';
echo '</td>';
echo '</tr>';
}
}
Database::disconnect();
}
?>
并且不要忘记添加 html 表格
这是我之前的代码,一个 SO 用户说它容易注入,所以我决定尝试将其转换为与 PDO 一起使用。
if(isset($_POST['q'])) {
$q = $_POST['q'];
$select = $db->query("SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC");
<form method="post">
<input type="text" name="q" /> <input type="submit" name="search" />
</form>
这是我尝试插入的代码:
include 'database.php';
$pdo = Database::connect();
$q = $_POST['q'];
$sql = 'SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC';
if(isset($_POST['q'])) {
foreach ($pdo->query($sql) as $row) {
echo '<tr>';
echo '<td>'. $row['name'] . '</td>';
echo '<td>'. $row['email'] . '</td>';
echo '<td>'. $row['mobile'] . '</td>';
echo '<td width=250>';
echo '<a class="btn" href="read.php?id='.$row['id'].'">Read</a>';
echo ' ';
echo '<a class="btn btn-success" href="update.php?id='.$row['id'].'">Update</a>';
echo ' ';
echo '<a class="btn btn-danger" href="delete.php?id='.$row['id'].'">Delete</a>';
echo '</td>';
echo '</tr>';
}
}
Database::disconnect();
?>
我得到的错误是: 注意:未定义索引:q 警告:除以零
关于为什么会发生这种情况有什么想法吗?
用这个替换你的查询
$sql = "SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC";
您可以通过将条件更改为
来使用您的代码if(isset($q)){
// your code
}
您收到错误消息,因为 q 不存在,您还没有将其发布到页面。你应该尝试这样的事情:
$pdo = Database::connect();
$q = filter_input(INPUT_POST, 'q', FILTER_SANITIZE_STRING);
if ($q)
{
$query = "SELECT * FROM customers WHERE name LIKE :q OR email LIKE :q ORDER BY ID DESC";
$sth = $pdo->prepare($query);
$sth->bindParam(':q', "%{$q}%", PDO::PARAM_STR);
$sth->execute();
}
The error I get is : Notice: Undefined index: q Warning: Division by zero
这意味着 $_POST['q'] 没有定义你的代码应该是
if(isset($_POST['q'])) {
$pdo = Database::connect();
$q = $_POST['q'];
$sql = 'SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC';
foreach ($pdo->query($sql) as $row) {
echo '<tr>';
echo '<td>'. $row['name'] . '</td>';
echo '<td>'. $row['email'] . '</td>';
echo '<td>'. $row['mobile'] . '</td>';
echo '<td width=250>';
echo '<a class="btn" href="read.php?id='.$row['id'].'">Read</a>';
echo ' ';
echo '<a class="btn btn-success" href="update.php?id='.$row['id'].'">Update</a>';
echo ' ';
echo '<a class="btn btn-danger" href="delete.php?id='.$row['id'].'">Delete</a>';
echo '</td>';
echo '</tr>';
}
}
Database::disconnect();
}
?>
并且不要忘记添加 html 表格