普通网友 2015-02-06 15:48
浏览 38
已采纳

使用下拉搜索时出错 - mySQL / php

When trying to incorporate a dropdown option in mySQL search, I keep getting this error: Warning: in_array() expects parameter 2 to be array, boolean given on line 24

Can anyone help? Thank you so much!

Search page:

<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php include("../includes/header-home.php"); ?>
<div class="container">
  <div class="col=md-12">
    <p><strong>Search:</strong></p>
   <form name="form1" method="post" action="search_results.php">
    <p><input name="search" type="text" size="40" maxlength="50"/></p>
    <p><strong>Type:</strong></p>
     <input type="checkbox" name="type[]" value="1"> Medalist</p>
<select name="medal[]">
<option value="1">Medal 1</option>
<option value="2">Medal 2</option>
<option value="3">Medal 3</option>
<option value="4">Medal 4</option>
<option value="5">Medal 5</option>
<option value="6">Medal 6</option>
<option value="7">Medal 7</option>
<option value="8">Medal 8</option>
</select>

<p><strong>Year:</strong></p>
     <p><input name="search" type="text" size="40" maxlength="50"/></p>
 <p><input type="submit" name="submit" value="Search" /></p>
</form>
    </div></div>
<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>

Search Results page:

<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

$search_sqli="SELECT * FROM profiles WHERE 
    (first_name LIKE '%".$_POST ['search']."%' 
    OR last_name LIKE '%".$_POST ['search']."%' 
    OR first_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR city LIKE '%".$_POST ['search']."%' 
    OR agency LIKE '%".$_POST ['search']."%' 
    OR subcomponent LIKE '%".$_POST ['search']."%' 
    OR team_name LIKE '%".$_POST ['search']."%' 
    OR achievement LIKE '%".$_POST ['search']."%' 
    OR profile LIKE '%".$_POST ['search']."%'
        OR year LIKE '%".$_POST ['search']."%')" 
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");


$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0)  {
$search_rs=mysqli_fetch_assoc($search_query);
}

?>

<?php include("../includes/header-home.php"); ?>
<div class="container">
  <div class="col=md-12">
     <p>Search:</p>
    <form name="form1" method="post" action="search_results.php">
    <input name="search" type="text" size="40" maxlength="50"/>
    <input type="submit" name="submit" value="Search" />

    </form>
   <br />
    <p><strong>Search Results:</strong></p>
  <?php if (mysqli_num_rows($search_query) !=0) {
     do  {
         ?>
    <p><ul>
    <li><a href="view_profile.php?profile=<?php echo urlencode($search_rs["id"]); ?>"><?php echo $search_rs['first_name']; ?> <?php echo $search_rs['last_name']; ?> <?php echo $search_rs['first_name2']; ?> <?php echo $search_rs['last_name2']; ?></a></li></ul></p>     

<?php } while ($search_rs=mysqli_fetch_assoc($search_query));

  } else {
      echo "No results found";
  }
  ?>
  <br />    
  <p> <a class="btn btn-default" href="search.php" role="button">Back to search</a></p>
    </div></div>

<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>
  • 写回答

2条回答 默认 最新

  • dongni8124 2015-02-06 16:34
    关注

    Here: in_array('1', $_POST['type'])

    the second argument you are passing to in_array isn't an array. It's whatever value you have posted as 'type', and you do something similar in the second instance. I believe that you could replace the two lines using in_array with:

    . (isset($_POST['type']) && $_POST['type']=='1' ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && (int)$_POST['medal'] > 0 ? " AND medal='".(int)$_POST['medal']."'" : "");

    I would also suggest rewriting the first part of your code:

    <?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

    to avoid the repeated tags, and also to preprocess those variables, to make your code a little easier to read and maintain. I would also suggest limiting the type of $_POST['medal'] to int to avoid the cast, but it may not be possible in your case.

    <?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>

<?php
if (!isset ($_POST['search'])) {
    header("Location:admin.php");
}

$search_sqli="SELECT * FROM profiles WHERE     
    (first_name LIKE '%".$_POST ['search']."%' 
    OR last_name LIKE '%".$_POST ['search']."%' 
    OR first_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR last_name2 LIKE '%".$_POST ['search']."%' 
    OR city LIKE '%".$_POST ['search']."%' 
    OR agency LIKE '%".$_POST ['search']."%' 
    OR subcomponent LIKE '%".$_POST ['search']."%' 
    OR team_name LIKE '%".$_POST ['search']."%' 
    OR achievement LIKE '%".$_POST ['search']."%' 
    OR profile LIKE '%".$_POST ['search']."%'
        OR year LIKE '%".$_POST ['search']."%')" 
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");


$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0)  {
$search_rs=mysqli_fetch_assoc($search_query);
}

?>

<?php include("../includes/header-home.php"); ?>

    would become:

    <?php   require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");
        require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");
        require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");

        if (!isset ($_POST['search'])) { header("Location:admin.php"); }

        $search = $_POST['search'];
        $type    = (isset($_POST['type'])   ? "AND medalist = '1'" : "";
        $medal  = (isset($_POST['medal']) ? "AND medal = '{$_POST['medal']}' : "";


        $search_sqli = "
            SELECT * FROM profiles WHERE (
                    first_name      LIKE '%{$search}%' 
                OR  last_name       LIKE '%{$search}%' 
                OR  first_name2     LIKE '%{$search}%' 
                OR  last_name2      LIKE '%{$search}%' 
                OR  last_name2      LIKE '%{$search}%' 
                OR  city            LIKE '%{$search}%' 
                OR  agency          LIKE '%{$search}%' 
                OR  subcomponent    LIKE '%{$search}%' 
                OR  team_name       LIKE '%{$search}%' 
                OR  achievement     LIKE '%{$search}%' 
                OR  profile         LIKE '%{$search}%'
                OR  year            LIKE '%{$search}%'
            )
            {type}
            {$medal}
        ";

        $search_query = mysqli_query($connection, $search_sqli);
        if (mysqli_num_rows($search_query) !=0)  {
            $search_rs=mysqli_fetch_assoc($search_query);
        }

        include("../includes/header-home.php");

?>

    I think you'll find that will be easier to read and maintain. This should work, but I have not tested it live. If you have any issues I'd be happy to help with them. Do pay attention to the advice in the comment on your question. SQL injection is a real danger, and anyone could easily access your database if this is an internet accessible page. Even if it's internally facing, it wouldn't stop a malicious user from deleting your entire database, or inserting unvalidated data, or viewing any sensitive data you might have in the database. As your code stands, I would have free access to your data. mysqli does support several ways of stopping the injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改