所以我正在尝试使用 PDO 执行搜索。我设置了这个搜索:
echo "<form action = 'user.php?search=yes' method = 'post' id='searchform'>
<a href='user.php?newuser=yes'>Add New User</a> || Search By
<select name = 'paramet' form = 'searchform'>
<option value = 'userID'>User ID</option>
<option value = 'firstname'>First Name</option>
<option value = 'lastname'>Last Name</option>
<option value = 'email'>E-Mail</option>
<option value = 'mobileno'>Mobile Number</option>
<option value = 'homeno'>Home Number</option>
</select>
<select name = 'howso' form = 'searchform'>
<option value = 'contains'>which contains</option>
<option value = 'equalto'>which is equal to</option>
</select>
<input type = 'text' name='criteria' required>
<input type = 'submit' value='Search'>
</form>
然后处理查询:
{
$param = $_POST['paramet'];
$how = $_POST['howso'];
$crite = $_POST['criteria'];
if($how == 'contains')
{
$query = $hsdbc->prepare("SELECT * FROM user WHERE :param LIKE :crite");
$query->bindParam(':param', $param);
$query->bindValue(':crite', '%' . $crite . '%');
$query->execute();
}
else{
$query = $hsdbc->prepare("SELECT * FROM user WHERE :param = :crite");
$query->bindParam(':param', $param);
$query->bindParam(':crite', $crite);
$query->execute();
}
我离正确的结果还差得很远。有帮助吗?
最佳答案
您不能绑定(bind)列名。您能做的最好的事情就是将该名称添加到白名单数组或其他内容中,然后手动插入。
if(in_array($param, $good_params_array)) {
$query = $hsdbc->prepare("SELECT * FROM user WHERE $param LIKE :crite");
$query->bindValue(':crite', '%' . $crite . '%');
$query->execute();
}
我见过人们在数据库中查询表描述以获取列以查看是否列出了列名,但这需要额外的数据库请求。此外,您可能希望限制他们可以搜索的字段
关于php - 使用 PDO 搜索,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22998508/