douxian7117 2017-12-29 21:40
浏览 45
已采纳

具有多个参数的PDO数据库搜索

I'm trying to search in a database with multiple search parameters. However, I always get the whole table as output. The user is supposed to fill out one or more fields in an HTML form. After the form is submitted, only entries matching the user's parameters should be shown. It worked fine when I only had one parameter.

This is my code:

if (isset($_POST['submit']))
{
    try
    {
        require "../config.php";
        require "../common.php";

        $connection = new PDO($dsn, $username, $password, $options);

        $sql = "SELECT *
                FROM medisGO_patient
                WHERE lastName LIKE '%" . $lastName . "%'
                AND firstName LIKE '%" . $firstName . "%'
                AND birthday LIKE '%" . $birthday . "%'
                AND course LIKE '%" . $course . "%'
                AND id LIKE '%" . $no . "%'";

        $lastName = trim($_POST['lastName']);
        $firstName = trim($_POST['firstName']);
        $course = trim($_POST['course']);
        $birthday = trim($_POST['birthday']);
        $no = trim($_POST['no']);

        $statement = $connection->prepare($sql);
        $statement->bindParam(':lastName', $lastName, PDO::PARAM_STR);
        $statement->bindParam(':firstName', $firstName, PDO::PARAM_STR);
        $statement->bindParam(':birthday', $birthday, PDO::PARAM_STR);
        $statement->bindParam(':course', $course, PDO::PARAM_STR);
        $statement->bindParam(':id', $no, PDO::PARAM_STR);
        $statement->execute();
        $result = $statement->fetchAll();

    }
    catch(PDOException $error)
    {
        echo $sql . "<br>" . $error->getMessage();
    }
}
  • 写回答

1条回答 默认 最新

  • duanlan7239 2017-12-29 21:55
    关注

    You're not using parameters in your query, you're using string concatenation. Worse, you're concatenating variables that don't exist yet, so PHP is substituting an empty string. In essence, the query you're building is:

    SELECT *
FROM medisGO_patient
WHERE lastName LIKE '%%'
AND firstName LIKE '%%'
AND birthday LIKE '%%'
AND course LIKE '%%'
AND id LIKE '%%'

    That's why you're getting the entire table.

    You should be using named parameters instead, while you should add the % signs to the values:

    $sql = "SELECT *
        FROM medisGO_patient
        WHERE lastName LIKE :lastName
        AND firstName LIKE :firstName
        AND birthday LIKE :birthday
        AND course LIKE :course
        AND id LIKE :id";

$lastName = '%' . trim($_POST['lastName']) . '%';
$firstName = '%' . trim($_POST['firstName']) . '%';
$course = '%' . trim($_POST['course']) . '%';
$birthday = '%' . trim($_POST['birthday']) . '%';
$no = '%' . trim($_POST['no']) . '%';

$statement = $connection->prepare($sql);
$statement->bindParam(':lastName', $lastName, PDO::PARAM_STR);
$statement->bindParam(':firstName', $firstName, PDO::PARAM_STR);
$statement->bindParam(':birthday', $birthday, PDO::PARAM_STR);
$statement->bindParam(':course', $course, PDO::PARAM_STR);
$statement->bindParam(':id', $no, PDO::PARAM_STR);
$statement->execute();
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 目详情-五一模拟赛详情页
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line