问题描述
@H_404_0@所以我尝试使用带有 Ajax 和 PHP 的复选框来过滤记录。我正在尝试使用 PDO 过滤记录,因为它是最安全的选择。我想知道为什么过滤系统只在选中一个复选框时才进行过滤,而不是更多。
@H_404_0@这是我的代码:
if(isset($_POST['merk']))
{
// Pretty sure you have the following format 1,2,3,4 and not '1','2','3','4'
$merk = implode(',',$_POST['merk']);
if (preg_replace('/[^A-Za-z0-9\-]/','',$merk)) {
// Notice that placeholders should not be quoted
$sql .= ' AND merk IN(:merk)';
}
}
if(isset($_POST['brandstof']))
{
$brandstof = implode(',$_POST['brandstof']);
if (preg_replace('/[^A-Za-z0-9\-]/',$brandstof)) {
$sql .= ' AND brandstof IN(:brandstof)';
}
}
if(isset($_POST['carrosserie']))
{
$carrosserie = implode(',$_POST['carrosserie']);
if (preg_replace('/[^A-Za-z0-9\-]/',$carrosserie)) {
$sql .= ' AND carrosserie IN(:carrosserie)';
}
}
merk 复选框,该代码将执行。查询有问题吗?
//We prepare our SELECT statement.
$statement = $pdo->prepare($sql);
if(isset($_POST['merk']))
{
$statement->bindParam(":merk",$merk);
// $params[] .= $merk;
}
if(isset($_POST['brandstof']))
{
$statement->bindParam(":brandstof",$brandstof);
// $params[] .= $brandstof;
}
if(isset($_POST['carrosserie']))
{
$statement->bindParam(":carrosserie",$carrosserie);
// $params[] .= $carrosserie;
}
$statement->execute();
Array ( [0] => BMW [1] => Skoda )
解决方法
您在解析输入时使用了奇怪的引号,例如 "','"。此外,您不应在语句中引用实际的占位符。
在聊天之后,我意识到问题在于 IN 子句和 bindParams() 不支持数组。
来自 PDOStatement::execute 的 documentation:
input_parameters 一个包含尽可能多元素的值数组 正在执行的 SQL 语句中的绑定参数。所有值都是 视为 PDO::PARAM_STR。
多个值不能绑定到单个参数;例如,它 不允许将两个值绑定到单个命名参数 IN() 子句。
为了解决这个问题,您需要将代码更改为如下所示:
// Enable error reporting to spot any warnings and errors.
ini_set('display_errors',true);
error_reporting(E_ALL);
$params = array();
// Creates an IN clause with placeholders and stores parameters
function createInParam(array $data,$name,$query,array &$params) {
$query .= " AND $name IN (";
foreach ($data as $key => $value) {
$params[$name . '_' . $key] = $value;
$query .= ":${name}_${key},";
}
return rtrim($query,',') . ')';
}
// Bind all parameters to statement
function bindParams($statement,array $params) {
foreach ($params as $key => $value) {
$statement->bindParam(":$key",$params[$key]);
}
}
if (isset($_POST['merk'])) {
$merk = implode(',$_POST['merk']);
if (preg_replace('/[^A-Za-z0-9\-]/','',$merk)) {
$data = explode(',$merk);
$sql = createInParam($data,'merk',$sql,$params);
}
}
if (isset($_POST['brandstof'])) {
$brandstof = implode(',$_POST['brandstof']);
if (preg_replace('/[^A-Za-z0-9\-]/',$brandstof)) {
$data = explode(',$brandstof);
$sql = createInParam($data,'brandstof',$params);
}
}
if (isset($_POST['carrosserie'])) {
$carrosserie = implode(',$_POST['carrosserie']);
if (preg_replace('/[^A-Za-z0-9\-]/',$carrosserie)) {
$data = explode(',$carrosserie);
$sql = createInParam($data,'carrosserie',$params);
}
}
// Then bind all parameters and execute
bindParams($statement,$params);
if ($statement->execute()) {
// Success
}
做同样事情的另一种方式是:
$params = array();
if (isset($_POST['merk'])) {
$merk = implode(',$merk)) {
$inClause = implode(',array_fill(0,count($_POST['merk']),'?'));
$sql .= " AND merk IN ($inClause)";
$params = array_merge($params,explode(',$merk));
}
}
if (isset($_POST['brandstof'])) {
$brandstof = implode(',$brandstof)) {
$inClause = implode(',count($_POST['brandstof']),'?'));
$sql .= " AND brandstof IN ($inClause)";
$params = array_merge($params,$brandstof));
}
}
if (isset($_POST['carrosserie'])) {
$carrosserie = implode(',$carrosserie)) {
$inClause = implode(',count($_POST['carrosserie']),'?'));
$sql .= " AND carrosserie IN ($inClause)";
$params = array_merge($params,$carrosserie));
}
}
if ($statement->execute($params)) {
// Success
}