All geek questions in one place

PHP mysql -... AND column = 'anything' ...?

Is there a way to check if a column is "anything"? The reason is because I have a search function that gets the identifier from the url and then passes it through the sql algorithm and shows the result. But if this "function" (?) URL is blank, it just looks for:

...AND column=''...

and this does not return any results at all. I tried using "%" but it does nothing.

Any ideas?

Here's the request:

mysql_query("SELECT * FROM filer 
             WHERE real_name LIKE '%$searchString%' 
                   AND public='1' AND ikon='$tab' 
                   OR filinfo LIKE '%$searchString%' 
                   AND public='1' 
                   AND ikon='$tab' 
             ORDER BY rank DESC, kommentarer DESC");

The problem is "ikon = ''" ...

+3
source share
6 answers

and ikon like '%' , " ". , like - , , SQL like, '%' .

, , SQL-. , mysqli , mysql_real_escape_string().

+4

:

AND ('$tab' = '' OR ikon = '$tab')

, .

, PHP , $id .

+3

, :

$query = "SELECT * FROM table WHERE foo='bar'";

if(isset($_GET['id'])) {
    $query .= " AND column='" . mysql_real_escape_string($_GET['id']) . "'";
}

: OP.

+2

, ​​ if-else:

$id = (int) $_GET['id'];

if ($id)
{
  // run query
}
else
{
  // echo oops
}
0

, ""
: .
.
:

$w=array();
if (!empty($_GET['rooms'])) $w[]="rooms='".mysql_real_escape_string($_GET['rooms'])."'";
if (!empty($_GET['space'])) $w[]="space='".mysql_real_escape_string($_GET['space'])."'";
if (!empty($_GET['max_price'])) $w[]="price < '".mysql_real_escape_string($_GET['max_price'])."'";


if (count($w)) $where="WHERE ".implode(' AND ',$w); else $where='';
$query="select * from table $where";

:

$ikon="";
if ($id) $ikon = "AND ikon='$tab'";
mysql_query("SELECT * FROM filer 
             WHERE (real_name LIKE '%$searchString%' 
                   OR filinfo LIKE '%$searchString%')
                   AND public='1' 
                   $ikon 
             ORDER BY rank DESC, kommentarer DESC");

,

0

, . , - - , "OR 1 = 1". , LIKE - , ( ) - . "field = anything" :

  • { LIKE '%'}
  • { LIKE 'specific_value'} - , .

Using 'specific_value%' or '% specific_value' will begin to perform partial matching. Therefore, LIKE should do whatever you need when you have an input variable, which can be "%", to get all or a specific value that you want to match exactly. This is what search filtering behavior usually looks like.

0
source

Source: https://habr.com/ru/post/1746862/

More articles:


All Articles