0

サイトの動的クエリ (検索機能に使用) があります。ユーザー入力に基づいてクエリを動的に構築します。

$query = "SELECT * FROM talents WHERE ";

if(!empty($_POST['firstName'])){
    $query = $query . "firstName = '" . $_POST['firstName'] . "' AND ";
}

if(!empty($_POST['lastName'])){
    $query = $query . "lastName = '" . $_POST['lastName'] . "' AND ";
}

if(!empty($_POST['gender'])){
    $query = $query . "gender = '" . $_POST['gender'] . "' AND ";
}


if(!empty($_POST['eyeColor'])){
    $query = $query . "eyeColor = '" . $_POST['eyeColor'] . "' AND ";
}

if($_POST['heightLow'] != "Low" && $_POST['heightHigh'] != "High"){
    $query = $query . "height BETWEEN '" . $_POST['heightLow'] . "' AND '" . $_POST['heightHigh'] . "' AND ";
}else if($_POST['heightLow'] != "Low" && $_POST['heightHigh'] == "High"){
    $query = $query . "height = '" . $_POST['heightLow'] . "' AND ";
}

if(!empty($_POST['hairColor'])){
    $query = $query . "hairColor = '" . $_POST['hairColor'] . "' AND ";
}

if($_POST['weightLow'] != "Low" && $_POST['weightHigh'] != "High"){
    $query = $query . "weight BETWEEN '" . $_POST['weightLow'] . "' AND '" . $_POST['weightHigh'] . "' AND ";
}else if($_POST['weightLow'] != "Low" && $_POST['weightHigh'] == "High"){
    $query = $query . "weight = '" . $_POST['weightLow'] . "' AND ";
}

if(!empty($_POST['dressSize'])){
    $query = $query . "dressSize = '" . $_POST['dressSize'] . "' AND ";
}

if($_POST['chestLow'] != "Low" && $_POST['chestHigh'] != "High"){
    $query = $query . "chest BETWEEN '" . $_POST['chestLow'] . "' AND '" . $_POST['chestHigh'] . "' AND ";
}else if($_POST['chestLow'] != "Low" && $_POST['chestHigh'] == "High"){
    $query = $query . "chest = '" . $_POST['chestLow'] . "' AND ";
}

if(!empty($_POST['shoeSize'])){
    $query = $query . "shoeSize = '" . $_POST['shoeSize'] . "' AND ";
}

if($_POST['waistLow'] != "Low" && $_POST['waistHigh'] != "High"){
    $query = $query . "waist BETWEEN '" . $_POST['waistLow'] . "' AND '" . $_POST['waistHigh'] . "' AND ";
}else if($_POST['waistLow'] != "Low" && $_POST['waistHigh'] == "High"){
    $query = $query . "waist = '" . $_POST['waistLow'] . "' AND ";
}

if($_POST['hipsLow'] != "Low" && $_POST['hipsHigh'] != "High"){
    $query = $query . "hips BETWEEN '" . $_POST['hipsLow'] . "' AND '" . $_POST['hipsHigh'] . "' ";
}else if($_POST['hipsLow'] != "Low" && $_POST['hipsigh'] == "High"){
    $query = $query . "hips = '" . $_POST['hipsLow'] . "' ";
}

まず、冗長な性質を無視してください。これは機能するためのアルファ版です。きれいなコード。第 2 に、HighおよびLow変数は、範囲検索 (たとえば、5'3 から 5'9 の間の高さ) を参照します。

これが私の問題です。AND!_ hips私が持っている方法では、エラー以外の入力に何かがあれば機能します。しかし、その場合、ユーザーがどこで止まるかを予測することは不可能です。

これは非常に一般的な機能ですが、インターネットで簡単に見つけることができないことに驚いています。簡単なアイデアはありますか?

4

2 に答える 2

4

条件をこのようにではarrayなくに保存しますstring

$query = array();
$query[] = "weight = '" . $_POST['weightLow'];

そしてimplodeそれとAND

$final_query = implode(' AND ', $query);
于 2013-06-05T04:28:38.860 に答える
1

私にはアイデアがあります。あなたの入力をサニタイズしてください。$_POST['xxx'] をクエリに直接渡さないでください。

少なくともmysql_real_escape_string () でラップしてください。ただし、PHP の PDO を使用した方がよいでしょう。

逃げた後、それは機能し始めます。また、検討することもできます。その場合$query = rtrim($query, "AND")は、引き続きクエリの最後に「AND」を付けてください。

例 (テストされていません):

$query = "SELECT * FROM talents WHERE ";

if(!empty($_POST['firstName'])){
    $query = $query . "firstName = '" . mysql_real_escape_string($_POST['firstName']) . "' AND ";
}

if(!empty($_POST['lastName'])){
    $query = $query . "lastName = '" . mysql_real_escape_string($_POST['lastName']) . "' AND ";
}

if(!empty($_POST['gender'])){
    $query = $query . "gender = '" . mysql_real_escape_string($_POST['gender']) . "' AND ";
}


if(!empty($_POST['eyeColor'])){
    $query = $query . "eyeColor = '" . mysql_real_escape_string($_POST['eyeColor']) . "' AND ";
}

if($_POST['heightLow'] != "Low" && $_POST['heightHigh'] != "High"){
    $query = $query . "height BETWEEN '" . mysql_real_escape_string($_POST['heightLow']) . "' AND '" . mysql_real_escape_string($_POST['heightHigh']) . "' AND ";
}else if($_POST['heightLow'] != "Low" && $_POST['heightHigh'] == "High"){
    $query = $query . "height = '" . mysql_real_escape_string($_POST['heightLow']) . "' AND ";
}

if(!empty($_POST['hairColor'])){
    $query = $query . "hairColor = '" . mysql_real_escape_string($_POST['hairColor']) . "' AND ";
}

if($_POST['weightLow'] != "Low" && $_POST['weightHigh'] != "High"){
    $query = $query . "weight BETWEEN '" . mysql_real_escape_string($_POST['weightLow']) . "' AND '" . mysql_real_escape_string($_POST['weightHigh']) . "' AND ";
}else if($_POST['weightLow'] != "Low" && $_POST['weightHigh'] == "High"){
    $query = $query . "weight = '" . mysql_real_escape_string($_POST['weightLow']) . "' AND ";
}

if(!empty($_POST['dressSize'])){
    $query = $query . "dressSize = '" . mysql_real_escape_string($_POST['dressSize']) . "' AND ";
}

if($_POST['chestLow'] != "Low" && $_POST['chestHigh'] != "High"){
    $query = $query . "chest BETWEEN '" . mysql_real_escape_string($_POST['chestLow']) . "' AND '" . mysql_real_escape_string($_POST['chestHigh']) . "' AND ";
}else if($_POST['chestLow'] != "Low" && $_POST['chestHigh'] == "High"){
    $query = $query . "chest = '" . mysql_real_escape_string($_POST['chestLow']) . "' AND ";
}

if(!empty($_POST['shoeSize'])){
    $query = $query . "shoeSize = '" . mysql_real_escape_string($_POST['shoeSize']) . "' AND ";
}

if($_POST['waistLow'] != "Low" && $_POST['waistHigh'] != "High"){
    $query = $query . "waist BETWEEN '" . mysql_real_escape_string($_POST['waistLow']) . "' AND '" . mysql_real_escape_string($_POST['waistHigh']) . "' AND ";
}else if($_POST['waistLow'] != "Low" && $_POST['waistHigh'] == "High"){
    $query = $query . "waist = '" . mysql_real_escape_string($_POST['waistLow']) . "' AND ";
}

if($_POST['hipsLow'] != "Low" && $_POST['hipsHigh'] != "High"){
    $query = $query . "hips BETWEEN '" . mysql_real_escape_string($_POST['hipsLow']) . "' AND '" . mysql_real_escape_string($_POST['hipsHigh']) . "' AND";
}else if($_POST['hipsLow'] != "Low" && $_POST['hipsigh'] == "High"){
    $query = $query . "hips = '" . mysql_real_escape_string($_POST['hipsLow']) . "' AND";
}

$query = rtrim($query, "AND");
于 2013-06-05T04:29:41.130 に答える