普通网友 2015-02-06 15:48
浏览 38
已采纳

使用下拉搜索时出错 - mySQL / php

When trying to incorporate a dropdown option in mySQL search, I keep getting this error: Warning: in_array() expects parameter 2 to be array, boolean given on line 24

Can anyone help? Thank you so much!

Search page:

<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php include("../includes/header-home.php"); ?>
<div class="container">
  <div class="col=md-12">
    <p><strong>Search:</strong></p>
   <form name="form1" method="post" action="search_results.php">
    <p><input name="search" type="text" size="40" maxlength="50"/></p>
    <p><strong>Type:</strong></p>
     <input type="checkbox" name="type[]" value="1"> Medalist</p>
<select name="medal[]">
<option value="1">Medal 1</option>
<option value="2">Medal 2</option>
<option value="3">Medal 3</option>
<option value="4">Medal 4</option>
<option value="5">Medal 5</option>
<option value="6">Medal 6</option>
<option value="7">Medal 7</option>
<option value="8">Medal 8</option>
</select>

<p><strong>Year:</strong></p>
     <p><input name="search" type="text" size="40" maxlength="50"/></p>
 <p><input type="submit" name="submit" value="Search" /></p>
</form>
    </div></div>
<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>

Search Results page:

<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

$search_sqli="SELECT * FROM profiles WHERE 
    (first_name LIKE '%".$_POST ['search']."%' 
    OR last_name LIKE '%".$_POST ['search']."%' 
    OR first_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR city LIKE '%".$_POST ['search']."%' 
    OR agency LIKE '%".$_POST ['search']."%' 
    OR subcomponent LIKE '%".$_POST ['search']."%' 
    OR team_name LIKE '%".$_POST ['search']."%' 
    OR achievement LIKE '%".$_POST ['search']."%' 
    OR profile LIKE '%".$_POST ['search']."%'
        OR year LIKE '%".$_POST ['search']."%')" 
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");


$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0)  {
$search_rs=mysqli_fetch_assoc($search_query);
}

?>

<?php include("../includes/header-home.php"); ?>
<div class="container">
  <div class="col=md-12">
     <p>Search:</p>
    <form name="form1" method="post" action="search_results.php">
    <input name="search" type="text" size="40" maxlength="50"/>
    <input type="submit" name="submit" value="Search" />

    </form>
   <br />
    <p><strong>Search Results:</strong></p>
  <?php if (mysqli_num_rows($search_query) !=0) {
     do  {
         ?>
    <p><ul>
    <li><a href="view_profile.php?profile=<?php echo urlencode($search_rs["id"]); ?>"><?php echo $search_rs['first_name']; ?> <?php echo $search_rs['last_name']; ?> <?php echo $search_rs['first_name2']; ?> <?php echo $search_rs['last_name2']; ?></a></li></ul></p>     

<?php } while ($search_rs=mysqli_fetch_assoc($search_query));

  } else {
      echo "No results found";
  }
  ?>
  <br />    
  <p> <a class="btn btn-default" href="search.php" role="button">Back to search</a></p>
    </div></div>

<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>
  • 写回答

2条回答 默认 最新

  • dongni8124 2015-02-06 16:34
    关注

    Here: in_array('1', $_POST['type'])

    the second argument you are passing to in_array isn't an array. It's whatever value you have posted as 'type', and you do something similar in the second instance. I believe that you could replace the two lines using in_array with:

    . (isset($_POST['type']) && $_POST['type']=='1' ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && (int)$_POST['medal'] > 0 ? " AND medal='".(int)$_POST['medal']."'" : "");

    I would also suggest rewriting the first part of your code:

    <?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

    to avoid the repeated tags, and also to preprocess those variables, to make your code a little easier to read and maintain. I would also suggest limiting the type of $_POST['medal'] to int to avoid the cast, but it may not be possible in your case.

    <?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

$search_sqli="SELECT * FROM profiles WHERE     
    (first_name LIKE '%".$_POST ['search']."%' 
    OR last_name LIKE '%".$_POST ['search']."%' 
    OR first_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR city LIKE '%".$_POST ['search']."%' 
    OR agency LIKE '%".$_POST ['search']."%' 
    OR subcomponent LIKE '%".$_POST ['search']."%' 
    OR team_name LIKE '%".$_POST ['search']."%' 
    OR achievement LIKE '%".$_POST ['search']."%' 
    OR profile LIKE '%".$_POST ['search']."%'
        OR year LIKE '%".$_POST ['search']."%')" 
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");


$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0)  {
$search_rs=mysqli_fetch_assoc($search_query);
}

?>

<?php include("../includes/header-home.php"); ?>

    would become:

    <?php   require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");
        require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");
        require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");

        if (!isset ($_POST['search'])) { header("Location:admin.php"); }

        $search = $_POST['search'];
        $type    = (isset($_POST['type'])   ? "AND medalist = '1'" : "";
        $medal  = (isset($_POST['medal']) ? "AND medal = '{$_POST['medal']}' : "";


        $search_sqli = "
            SELECT * FROM profiles WHERE (
                    first_name      LIKE '%{$search}%' 
                OR  last_name       LIKE '%{$search}%' 
                OR  first_name2     LIKE '%{$search}%' 
                OR  last_name2      LIKE '%{$search}%' 
                OR  last_name2      LIKE '%{$search}%' 
                OR  city            LIKE '%{$search}%' 
                OR  agency          LIKE '%{$search}%' 
                OR  subcomponent    LIKE '%{$search}%' 
                OR  team_name       LIKE '%{$search}%' 
                OR  achievement     LIKE '%{$search}%' 
                OR  profile         LIKE '%{$search}%'
                OR  year            LIKE '%{$search}%'
            )
            {type}
            {$medal}
        ";

        $search_query = mysqli_query($connection, $search_sqli);
        if (mysqli_num_rows($search_query) !=0)  {
            $search_rs=mysqli_fetch_assoc($search_query);
        }

        include("../includes/header-home.php");

?>

    I think you'll find that will be easier to read and maintain. This should work, but I have not tested it live. If you have any issues I'd be happy to help with them. Do pay attention to the advice in the comment on your question. SQL injection is a real danger, and anyone could easily access your database if this is an internet accessible page. Even if it's internally facing, it wouldn't stop a malicious user from deleting your entire database, or inserting unvalidated data, or viewing any sensitive data you might have in the database. As your code stands, I would have free access to your data. mysqli does support several ways of stopping the injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 用土力学知识进行土坡稳定性分析与挡土墙设计
  • ¥70 PlayWright在Java上连接CDP关联本地Chrome启动失败,貌似是Windows端口转发问题
  • ¥15 帮我写一个c++工程
  • ¥30 Eclipse官网打不开,官网首页进不去,显示无法访问此页面,求解决方法
  • ¥15 关于smbclient 库的使用
  • ¥15 微信小程序协议怎么写
  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?