目前我有一个简单的搜索查询,其工作原理如下:
$username = $_SESSION['username'];
$chosencategory = $_GET['category'];
$price = $_GET['price'];
$search = $_GET['search'];
$terms = explode(" ", $search);
if ($price && $chosencategory){
$sql = "SELECT * FROM people WHERE MATCH (lname,fname) AGAINST (:search IN BOOLEAN MODE) AND category='$chosencategory' ORDER BY price $price";
$q = $conn->prepare($sql) or die("failed!");
$q->bindValue(':search',"%".$search."%",PDO::PARAM_STR);
$q->execute();
}
例如,当用户选择“显示价格从最低到最高”时,发送到 $_GET['price'] = ASC 的值,但我不确定这是否安全对结果进行排序的方法,有人有更好的方法吗?
此外,这种方法也不是最好的,因为当用户选择排序选项(例如“显示价格从最低到最高”)时,下拉框会回显已发送到 $_GET['price'] 的值,即“ASC” "因此,在发送表单后,下拉框中会显示 ASC!
抱歉,如果这令人困惑,如果您希望我重新解释这一点,请发表评论,非常感谢任何帮助或建议!!
最佳答案
与您的值绑定(bind)和sql注入(inject)相关,您还应该在使用之前检查值是否已设置。如果您启用了error_reporting(E_ALL),您会看到很多未定义的警告。以下是一些提示/更改:
<?php
// Check and set username
$username = (isset($_SESSION['username']) ? $_SESSION['username'] : 'guest');
// Check and set category
$category = (!empty($_GET['category']) ? $_GET['category'] : null);
// Check and set search
if(!empty($_GET['search'])){
$search = $_GET['search'];
$terms = explode(" ", $search);
}else{
$search = null;
$terms = null;
}
// Check that $_GET['price'] is ASC if not set to DESC
// as static values its ok to directly put in the query
if(isset($_GET['price']) && $_GET['price'] == 'ASC'){
$price = 'ASC';
}else{
$price = 'DESC';
}
if ($category !== null && $search !== null){
$sql = "SELECT *
FROM people
WHERE MATCH (lname,fname) AGAINST (:search IN BOOLEAN MODE)
AND category = :category
ORDER BY price ".$price;
$q = $conn->prepare($sql);
// Bind the params to the placeholders
$q->bindParam(':search', $search, PDO::PARAM_STR);
$q->bindParam(':category', $category, PDO::PARAM_STR);
$q->execute();
// Get result
$result = $q->fetchAll(PDO::FETCH_ASSOC);
}
?>
关于php - PDO - 按价格升序或降序排列,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12451519/