我有一个目录页面,其中通过ajax显示产品. Ajax调用的代码如下:
函数updateProducts(opts){
$.ajax({
type: "POST",
url: "func.PHP",
dataType : 'json',
cache: false,
data: {filterOpts: opts},
success: function(records){
$('#slider').html(makeProdiv(records));
}
});
}
$pdo = new PDO('MysqL:host=localhost;dbname=filter', 'root', '');
$select = 'SELECT id, pname, prate, pdesc';
$from = ' FROM product';
$where = ' WHERE TRUE';
$opts = isset($_POST['filterOpts'])? $_POST['filterOpts'] : array('');
if (in_array("Shoes", $opts)) { $where .= " AND ptype = 'Shoes'"; }
if (in_array("Belt", $opts)) { $where .= " AND ptype = 'Belt'"; }
$sql = $select . $from . $where;
$statement = $pdo->prepare($sql);
$statement->execute();
$results = $statement->fetchAll(PDO::FETCH_ASSOC);
$json = json_encode($results);
echo($json);
我面临的问题是:
当我在过滤器中同时选择“皮带”和“鞋子”时,将不会显示任何结果,因为查询结果如下所示:
SELECT id, pname, prate, pdesc FROM product WHERE TRUE AND ptype = 'Shoes'
AND ptype = 'Belt'
请让我知道如何实现这一点,因为单个产品检查工作正常.
解决方法:
确实,一旦您有两个冲突的条件,您的查询将不会返回任何内容.
要解决此问题,应替换为:
$opts = isset($_POST['filterOpts'])? $_POST['filterOpts'] : array('');
if (in_array("Shoes", $opts)) { $where .= " AND ptype = 'Shoes'"; }
if (in_array("Belt", $opts)) { $where .= " AND ptype = 'Belt'"; }
通过(也请注意第一行末尾的更改):
$opts = isset($_POST['filterOpts'])? $_POST['filterOpts'] : array();
if(count($opts)){
$where .= " AND ptype IN (". str_pad('',count($opts)*2-1,'?,') .")";
}
这将产生一个WHERE子句,如下所示:
AND ptype IN (?,?)
然后将$opts值作为参数传递给执行.这对于sql注入是安全的,因此您无需验证值是否在某些预定义列表中:
$statement->execute($opts);
