普通网友 2015-02-06 15:48
浏览 38
已采纳

使用下拉搜索时出错 - mySQL / php

When trying to incorporate a dropdown option in mySQL search, I keep getting this error: Warning: in_array() expects parameter 2 to be array, boolean given on line 24

Can anyone help? Thank you so much!

Search page:

<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php include("../includes/header-home.php"); ?>
<div class="container">
  <div class="col=md-12">
    <p><strong>Search:</strong></p>
   <form name="form1" method="post" action="search_results.php">
    <p><input name="search" type="text" size="40" maxlength="50"/></p>
    <p><strong>Type:</strong></p>
     <input type="checkbox" name="type[]" value="1"> Medalist</p>
<select name="medal[]">
<option value="1">Medal 1</option>
<option value="2">Medal 2</option>
<option value="3">Medal 3</option>
<option value="4">Medal 4</option>
<option value="5">Medal 5</option>
<option value="6">Medal 6</option>
<option value="7">Medal 7</option>
<option value="8">Medal 8</option>
</select>

<p><strong>Year:</strong></p>
     <p><input name="search" type="text" size="40" maxlength="50"/></p>
 <p><input type="submit" name="submit" value="Search" /></p>
</form>
    </div></div>
<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>

Search Results page:

<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

$search_sqli="SELECT * FROM profiles WHERE 
    (first_name LIKE '%".$_POST ['search']."%' 
    OR last_name LIKE '%".$_POST ['search']."%' 
    OR first_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR city LIKE '%".$_POST ['search']."%' 
    OR agency LIKE '%".$_POST ['search']."%' 
    OR subcomponent LIKE '%".$_POST ['search']."%' 
    OR team_name LIKE '%".$_POST ['search']."%' 
    OR achievement LIKE '%".$_POST ['search']."%' 
    OR profile LIKE '%".$_POST ['search']."%'
        OR year LIKE '%".$_POST ['search']."%')" 
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");


$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0)  {
$search_rs=mysqli_fetch_assoc($search_query);
}

?>

<?php include("../includes/header-home.php"); ?>
<div class="container">
  <div class="col=md-12">
     <p>Search:</p>
    <form name="form1" method="post" action="search_results.php">
    <input name="search" type="text" size="40" maxlength="50"/>
    <input type="submit" name="submit" value="Search" />

    </form>
   <br />
    <p><strong>Search Results:</strong></p>
  <?php if (mysqli_num_rows($search_query) !=0) {
     do  {
         ?>
    <p><ul>
    <li><a href="view_profile.php?profile=<?php echo urlencode($search_rs["id"]); ?>"><?php echo $search_rs['first_name']; ?> <?php echo $search_rs['last_name']; ?> <?php echo $search_rs['first_name2']; ?> <?php echo $search_rs['last_name2']; ?></a></li></ul></p>     

<?php } while ($search_rs=mysqli_fetch_assoc($search_query));

  } else {
      echo "No results found";
  }
  ?>
  <br />    
  <p> <a class="btn btn-default" href="search.php" role="button">Back to search</a></p>
    </div></div>

<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>
  • 写回答

2条回答 默认 最新

  • dongni8124 2015-02-06 16:34
    关注

    Here: in_array('1', $_POST['type'])

    the second argument you are passing to in_array isn't an array. It's whatever value you have posted as 'type', and you do something similar in the second instance. I believe that you could replace the two lines using in_array with:

    . (isset($_POST['type']) && $_POST['type']=='1' ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && (int)$_POST['medal'] > 0 ? " AND medal='".(int)$_POST['medal']."'" : "");

    I would also suggest rewriting the first part of your code:

    <?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

    to avoid the repeated tags, and also to preprocess those variables, to make your code a little easier to read and maintain. I would also suggest limiting the type of $_POST['medal'] to int to avoid the cast, but it may not be possible in your case.

    <?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

$search_sqli="SELECT * FROM profiles WHERE     
    (first_name LIKE '%".$_POST ['search']."%' 
    OR last_name LIKE '%".$_POST ['search']."%' 
    OR first_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR city LIKE '%".$_POST ['search']."%' 
    OR agency LIKE '%".$_POST ['search']."%' 
    OR subcomponent LIKE '%".$_POST ['search']."%' 
    OR team_name LIKE '%".$_POST ['search']."%' 
    OR achievement LIKE '%".$_POST ['search']."%' 
    OR profile LIKE '%".$_POST ['search']."%'
        OR year LIKE '%".$_POST ['search']."%')" 
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");


$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0)  {
$search_rs=mysqli_fetch_assoc($search_query);
}

?>

<?php include("../includes/header-home.php"); ?>

    would become:

    <?php   require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");
        require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");
        require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");

        if (!isset ($_POST['search'])) { header("Location:admin.php"); }

        $search = $_POST['search'];
        $type    = (isset($_POST['type'])   ? "AND medalist = '1'" : "";
        $medal  = (isset($_POST['medal']) ? "AND medal = '{$_POST['medal']}' : "";


        $search_sqli = "
            SELECT * FROM profiles WHERE (
                    first_name      LIKE '%{$search}%' 
                OR  last_name       LIKE '%{$search}%' 
                OR  first_name2     LIKE '%{$search}%' 
                OR  last_name2      LIKE '%{$search}%' 
                OR  last_name2      LIKE '%{$search}%' 
                OR  city            LIKE '%{$search}%' 
                OR  agency          LIKE '%{$search}%' 
                OR  subcomponent    LIKE '%{$search}%' 
                OR  team_name       LIKE '%{$search}%' 
                OR  achievement     LIKE '%{$search}%' 
                OR  profile         LIKE '%{$search}%'
                OR  year            LIKE '%{$search}%'
            )
            {type}
            {$medal}
        ";

        $search_query = mysqli_query($connection, $search_sqli);
        if (mysqli_num_rows($search_query) !=0)  {
            $search_rs=mysqli_fetch_assoc($search_query);
        }

        include("../includes/header-home.php");

?>

    I think you'll find that will be easier to read and maintain. This should work, but I have not tested it live. If you have any issues I'd be happy to help with them. Do pay attention to the advice in the comment on your question. SQL injection is a real danger, and anyone could easily access your database if this is an internet accessible page. Even if it's internally facing, it wouldn't stop a malicious user from deleting your entire database, or inserting unvalidated data, or viewing any sensitive data you might have in the database. As your code stands, I would have free access to your data. mysqli does support several ways of stopping the injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?