开发者

PHP mysql - ...AND column='anything'...?

问答 作者:

Is there any way to chec开发者_开发知识库k if a column is "anything"? The reason is that i have a searchfunction that get's an ID from the URL, and then it passes it through the sql algorithm and shows the result. But if that URL "function" (?) isn't filled in, it just searches for:

...AND column=''...

and that doesn't return any results at all. I've tried using a "%", but that doesn't do anything.

Any ideas?

Here's the query:

mysql_query("SELECT * FROM filer 
             WHERE real_name LIKE '%$searchString%' 
                   AND public='1' AND ikon='$tab' 
                   OR filinfo LIKE '%$searchString%' 
                   AND public='1' 
                   AND ikon='$tab' 
             ORDER BY rank DESC, kommentarer DESC");

The problem is "ikon=''"...

and ikon like '%' would check for the column containing "anything". Note that like can also be used for comparing to literal strings with no wildcards, so, if you change that portion of SQL to use like then you could pre-set the variable to '%' and be all set.

However, as someone else mentioned below, beware of SQL injection attacks. I always strongly suggest that people use mysqli and prepared queries instead of relying on mysql_real_escape_string().

You can dynamically create your query, e.g.:

$query = "SELECT * FROM table WHERE foo='bar'";

if(isset($_GET['id'])) {
    $query .= " AND column='" . mysql_real_escape_string($_GET['id']) . "'";
}

Update: Updated code to be closer to the OP's question.

Try using this:

AND ('$tab' = '' OR ikon = '$tab')

If the empty string is given then the condition will always succeed.

Alternatively, from PHP you could build two different queries depending on whether $id is empty or not.

Run your query if search string is provided by wrapping it in if-else condition:

$id = (int) $_GET['id'];

if ($id)
{
  // run query
}
else
{
  // echo oops
}

There is noway to check if a column is "anything"
The way to include all values into query result is exclude this field from the query.
But you can always build a query dynamically.
Just a small example:

$w=array();
if (!empty($_GET['rooms'])) $w[]="rooms='".mysql_real_escape_string($_GET['rooms'])."'";
if (!empty($_GET['space'])) $w[]="space='".mysql_real_escape_string($_GET['space'])."'";
if (!empty($_GET['max_price'])) $w[]="price < '".mysql_real_escape_string($_GET['max_price'])."'";


if (count($w)) $where="WHERE ".implode(' AND ',$w); else $where='';
$query="select * from table $where";

For your query it's very easy:

$ikon="";
if ($id) $ikon = "AND ikon='$tab'";
mysql_query("SELECT * FROM filer 
             WHERE (real_name LIKE '%$searchString%' 
                   OR filinfo LIKE '%$searchString%')
                   AND public='1' 
                   $ikon 
             ORDER BY rank DESC, kommentarer DESC");

I hope you have all your strings already escaped

I take it that you are adding the values in from variables. The variable is coming and you need to do something with it - too late to hardcode a 'OR 1 = 1' section in there. You need to understand that LIKE isn't what it sounds like (partial matching only) - it does exact matches too. There is no need for 'field = anything' as:

  • {field LIKE '%'} will give you everything
  • {field LIKE 'specific_value'} will ONLY give you that value - it is not partial matching like it sounds like it would be.

Using 'specific_value%' or '%specific_value' will start doing partial matching. Therefore LIKE should do all you need for when you have a variable incoming that may be a '%' to get everything or a specific value that you want to match exactly. This is how search filtering behaviour would usually happen I expect.

继续阅读:functionphpsearch

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9