douxian7117 2017-12-29 21:40
浏览 45
已采纳

具有多个参数的PDO数据库搜索

I'm trying to search in a database with multiple search parameters. However, I always get the whole table as output. The user is supposed to fill out one or more fields in an HTML form. After the form is submitted, only entries matching the user's parameters should be shown. It worked fine when I only had one parameter.

This is my code:

if (isset($_POST['submit']))
{
    try
    {
        require "../config.php";
        require "../common.php";

        $connection = new PDO($dsn, $username, $password, $options);

        $sql = "SELECT *
                FROM medisGO_patient
                WHERE lastName LIKE '%" . $lastName . "%'
                AND firstName LIKE '%" . $firstName . "%'
                AND birthday LIKE '%" . $birthday . "%'
                AND course LIKE '%" . $course . "%'
                AND id LIKE '%" . $no . "%'";

        $lastName = trim($_POST['lastName']);
        $firstName = trim($_POST['firstName']);
        $course = trim($_POST['course']);
        $birthday = trim($_POST['birthday']);
        $no = trim($_POST['no']);

        $statement = $connection->prepare($sql);
        $statement->bindParam(':lastName', $lastName, PDO::PARAM_STR);
        $statement->bindParam(':firstName', $firstName, PDO::PARAM_STR);
        $statement->bindParam(':birthday', $birthday, PDO::PARAM_STR);
        $statement->bindParam(':course', $course, PDO::PARAM_STR);
        $statement->bindParam(':id', $no, PDO::PARAM_STR);
        $statement->execute();
        $result = $statement->fetchAll();

    }
    catch(PDOException $error)
    {
        echo $sql . "<br>" . $error->getMessage();
    }
}
  • 写回答

1条回答 默认 最新

  • duanlan7239 2017-12-29 21:55
    关注

    You're not using parameters in your query, you're using string concatenation. Worse, you're concatenating variables that don't exist yet, so PHP is substituting an empty string. In essence, the query you're building is:

    SELECT *
FROM medisGO_patient
WHERE lastName LIKE '%%'
AND firstName LIKE '%%'
AND birthday LIKE '%%'
AND course LIKE '%%'
AND id LIKE '%%'

    That's why you're getting the entire table.

    You should be using named parameters instead, while you should add the % signs to the values:

    $sql = "SELECT *
        FROM medisGO_patient
        WHERE lastName LIKE :lastName
        AND firstName LIKE :firstName
        AND birthday LIKE :birthday
        AND course LIKE :course
        AND id LIKE :id";

$lastName = '%' . trim($_POST['lastName']) . '%';
$firstName = '%' . trim($_POST['firstName']) . '%';
$course = '%' . trim($_POST['course']) . '%';
$birthday = '%' . trim($_POST['birthday']) . '%';
$no = '%' . trim($_POST['no']) . '%';

$statement = $connection->prepare($sql);
$statement->bindParam(':lastName', $lastName, PDO::PARAM_STR);
$statement->bindParam(':firstName', $firstName, PDO::PARAM_STR);
$statement->bindParam(':birthday', $birthday, PDO::PARAM_STR);
$statement->bindParam(':course', $course, PDO::PARAM_STR);
$statement->bindParam(':id', $no, PDO::PARAM_STR);
$statement->execute();
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog
  • ¥15 Excel发现不可读取的内容