查询构建 SQL 函数
Query building SQL function
我正在查询基于变量的数据库,我对如何让我的函数不起作用感到有点困惑。如果 SQL 条件数组中只有一个字符串,我希望它说出 WHERE,如果有多个字符串,我希望第一个是 WHERE,其余的是 AND。目前,如果我有一个字符串并且 rets 为空,那么查询如下所示:SELECT * FROM tb_visitors AND date BETWEEN '2017-08-01' AND '2017-08-31'。我希望它先是 WHERE,有更好的方法吗?
$sites = $data['sites'];
$attendence = $data['filter'];
$time = $data['time'];
$department = $data['department'];
$staff = $data['staff'];
$sql = 'SELECT * FROM tb_visitors' ;
$sql_criteria= "";
if(is_numeric($department) == true){
$sql_criteria[] = "dept_id = "."'".$department."'";
} else if($staff !== 'Staff Member') {
$sql_criteria[] = 'staff='.'"'.$staff.'"';
}
if($department == 'Department' || $staff == 'Staff Member' ){
$sql_criteria[] = "";
}
// Time
if($time == 'Date Range' || $time == 'Custom' || $time == 'Today'){
$sql_criteria[] = "";
} else if($time == 'Today'){
$today_date = date("Y-m-d");
$sql_criteria[] = "date ="."'".$today_date."'";
} else if($time == 'Tomorrow'){
$d= strtotime("tomorrow");
$date = date("Y-m-d", $d);
$sql_criteria[] = "date ="."'".$date."'";
} else if($time == 'Yesterday'){
$date = date('Y-m-d',strtotime("-1 days"));
$sql_criteria[] = "date ="."'".$date."'";
} else if($time == 'Last Month'){
$start_date = date("Y-n-j", strtotime("first day of previous month"));
$end_date = date("Y-n-j", strtotime("last day of previous month"));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'Next Month'){
$start_date = date("Y-n-j", strtotime("first day of next month"));
$end_date = date("Y-n-j", strtotime("last day of next month"));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'This Week'){
$start_date = date("Y-m-d", strtotime('monday this week'));
$end_date = date("Y-m-d", strtotime('sunday this week'));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'This Month'){
$start_date = date('Y-m-01');
$end_date = date('Y-m-t');
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'Last Week'){
$start_date = date("Y-m-d", strtotime("last week monday"));
$end_date = date("Y-m-d", strtotime("last week sunday"));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'Next Week'){
$start_date = date("Y-m-d", strtotime("next monday"));
$end_date = date("Y-m-d", strtotime('+1 week sunday'));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
}
// Attendence
if($attendence == 'Status' || $attendence == 'All Visits'){
$sql_criteria[] = "";
} else if($attendence == 'No Show'){
$sql_criteria[] = "no_show = 'Y'";
} else if($attendence == 'Completed Visits'){
$sql_criteria[] = "seen IS NOT NULL";
} else if($attendence == 'Upcoming Visits'){
$today_date = date("Y-m-d");
$sql_criteria[] = "date > '".$today_date."'";
}
//Sites
if($sites == 'All Sites' || $sites == 'Sites' ){
$sql_criteria[] = "";
} else if($sites == 'Twickenham'){
$sql_criteria[] = "dept_id NOT IN ('28', '29', '30', '32', '41', '44')";
} else if($sites == 'Hammersmith'){
$sql_criteria[] = "dept_id IN ('36')";
} else if($sites == 'Heatherwood'){
$sql_criteria[] = "dept_id IN ('37')";
} else if($sites == 'Hillingdon'){
$sql_criteria[] = "dept_id IN ('38')";
} else if($sites == 'Nuffeild'){
$sql_criteria[] = "dept_id IN ('39')";
} else if($sites == 'St Georges'){
$sql_criteria[] = "dept_id IN ('41')";
} else if($sites == 'Queen Victoria'){
$sql_criteria[] = "dept_id IN ('40')";
} else if($sites == 'Stoke Mandeville'){
$sql_criteria[] = "dept_id IN ('42')";
}
$i=0;
foreach ($sql_criteria as $a => $b){
if($b == ""){
$join = "";
} else if($i == 0){
$join = "WHERE";
} else {
$join = "AND";
}
$sql_final = $join." ".$b;
$i++;
$sql = $sql." ".$sql_final;
}
$result = $db->db_num("$sql");
echo $sql;
由于您已经在数组中获得了 where 子句,因此您可以利用 count and implode.
$sql = 'SELECT * FROM tb_visitors';
$sql_criteria = array();
/*
* Build the $sql_criteria array
* [...]
*/
if (count($sql_criteria)) // Should the where clause be built?
{
$sql .= " WHERE " . implode(" AND ", $sql_criteria);
}
注意:正如评论者已经指出的那样,您很容易受到 SQL 注入攻击。考虑这一点很重要,因为注入可能会发生 "accidentally",并且并不总是由于有针对性的攻击。例如,如果您的 $staff 的值为 "John O'Sullivan",名称中的单引号会中断您的查询。
我正在查询基于变量的数据库,我对如何让我的函数不起作用感到有点困惑。如果 SQL 条件数组中只有一个字符串,我希望它说出 WHERE,如果有多个字符串,我希望第一个是 WHERE,其余的是 AND。目前,如果我有一个字符串并且 rets 为空,那么查询如下所示:SELECT * FROM tb_visitors AND date BETWEEN '2017-08-01' AND '2017-08-31'。我希望它先是 WHERE,有更好的方法吗?
$sites = $data['sites'];
$attendence = $data['filter'];
$time = $data['time'];
$department = $data['department'];
$staff = $data['staff'];
$sql = 'SELECT * FROM tb_visitors' ;
$sql_criteria= "";
if(is_numeric($department) == true){
$sql_criteria[] = "dept_id = "."'".$department."'";
} else if($staff !== 'Staff Member') {
$sql_criteria[] = 'staff='.'"'.$staff.'"';
}
if($department == 'Department' || $staff == 'Staff Member' ){
$sql_criteria[] = "";
}
// Time
if($time == 'Date Range' || $time == 'Custom' || $time == 'Today'){
$sql_criteria[] = "";
} else if($time == 'Today'){
$today_date = date("Y-m-d");
$sql_criteria[] = "date ="."'".$today_date."'";
} else if($time == 'Tomorrow'){
$d= strtotime("tomorrow");
$date = date("Y-m-d", $d);
$sql_criteria[] = "date ="."'".$date."'";
} else if($time == 'Yesterday'){
$date = date('Y-m-d',strtotime("-1 days"));
$sql_criteria[] = "date ="."'".$date."'";
} else if($time == 'Last Month'){
$start_date = date("Y-n-j", strtotime("first day of previous month"));
$end_date = date("Y-n-j", strtotime("last day of previous month"));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'Next Month'){
$start_date = date("Y-n-j", strtotime("first day of next month"));
$end_date = date("Y-n-j", strtotime("last day of next month"));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'This Week'){
$start_date = date("Y-m-d", strtotime('monday this week'));
$end_date = date("Y-m-d", strtotime('sunday this week'));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'This Month'){
$start_date = date('Y-m-01');
$end_date = date('Y-m-t');
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'Last Week'){
$start_date = date("Y-m-d", strtotime("last week monday"));
$end_date = date("Y-m-d", strtotime("last week sunday"));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
} else if($time == 'Next Week'){
$start_date = date("Y-m-d", strtotime("next monday"));
$end_date = date("Y-m-d", strtotime('+1 week sunday'));
$sql_criteria[] = "date BETWEEN '".$start_date."' AND '".$end_date."'";
}
// Attendence
if($attendence == 'Status' || $attendence == 'All Visits'){
$sql_criteria[] = "";
} else if($attendence == 'No Show'){
$sql_criteria[] = "no_show = 'Y'";
} else if($attendence == 'Completed Visits'){
$sql_criteria[] = "seen IS NOT NULL";
} else if($attendence == 'Upcoming Visits'){
$today_date = date("Y-m-d");
$sql_criteria[] = "date > '".$today_date."'";
}
//Sites
if($sites == 'All Sites' || $sites == 'Sites' ){
$sql_criteria[] = "";
} else if($sites == 'Twickenham'){
$sql_criteria[] = "dept_id NOT IN ('28', '29', '30', '32', '41', '44')";
} else if($sites == 'Hammersmith'){
$sql_criteria[] = "dept_id IN ('36')";
} else if($sites == 'Heatherwood'){
$sql_criteria[] = "dept_id IN ('37')";
} else if($sites == 'Hillingdon'){
$sql_criteria[] = "dept_id IN ('38')";
} else if($sites == 'Nuffeild'){
$sql_criteria[] = "dept_id IN ('39')";
} else if($sites == 'St Georges'){
$sql_criteria[] = "dept_id IN ('41')";
} else if($sites == 'Queen Victoria'){
$sql_criteria[] = "dept_id IN ('40')";
} else if($sites == 'Stoke Mandeville'){
$sql_criteria[] = "dept_id IN ('42')";
}
$i=0;
foreach ($sql_criteria as $a => $b){
if($b == ""){
$join = "";
} else if($i == 0){
$join = "WHERE";
} else {
$join = "AND";
}
$sql_final = $join." ".$b;
$i++;
$sql = $sql." ".$sql_final;
}
$result = $db->db_num("$sql");
echo $sql;
由于您已经在数组中获得了 where 子句,因此您可以利用 count and implode.
$sql = 'SELECT * FROM tb_visitors';
$sql_criteria = array();
/*
* Build the $sql_criteria array
* [...]
*/
if (count($sql_criteria)) // Should the where clause be built?
{
$sql .= " WHERE " . implode(" AND ", $sql_criteria);
}
注意:正如评论者已经指出的那样,您很容易受到 SQL 注入攻击。考虑这一点很重要,因为注入可能会发生 "accidentally",并且并不总是由于有针对性的攻击。例如,如果您的 $staff 的值为 "John O'Sullivan",名称中的单引号会中断您的查询。