构建一个mysqli查询，并按页面显示顺序 [英] Building a mysqli query with order by and per page to show

问题描述

该页面显示所有结果，现在我要过滤结果以及每页有多少结果。为此，访问者使用一个简单的html GET表单来选择过滤器。

现在我得到GET表单并尝试过滤结果

 <？php 
 $ order_by = mysqli_real_escape_string（$ database，$ _ GET ['order_by']）; 
 $ order = if（empty（$ order_by））{echo'manufacturer';} else {echo'$ order_by'; 
？> 
  

好了，现在我们得到过滤器并尝试像这样得到MySQL的结果

  $ set_order = mysqli_query（$ database，SELECT * FROM`products` order by`$ order` ASC）;} 
  

但是我得到一行错误：

  $ order = if（empty（$ order_by））{echo'manufacturer';} else {echo'$ order_by'; 
  

无法找到这样做的方法...任何想法？

  
 > $ order ='manufacturer'; 
  

接下来，如果用户提供了其他内容，请用默认值替换。

  if（！empty（$ _ GET ['order_by']））{
 $ order = mysqli_real_escape_string（$ database，$ _GET [ 'ORDER_BY']）; 
} 
  

然后你可以使用它在查询中的任何内容。

  $ set_order = mysqli_query（$ database，SELECT * FROM`products` order by`$ order` ASC）; 
  

使用 mysqli_real_escape_string 在这里，但我会建议检查用户输入列表的可接受的列名称，以缓解SQL注入风险。

The page display all results, now I want to filter results and how many results per page. To do this the visitor use a simple html GET form to select the filter.

Now I get the GET form and try to filter the results

<?php
$order_by = mysqli_real_escape_string($database,$_GET['order_by']);
$order = if(empty($order_by)){echo 'manufacturer';}else{echo '$order_by';
?>

OK now we get the filter and try to get results from MySQL like this

$set_order=mysqli_query($database,"SELECT * FROM `products` order by `$order` ASC");}

But I get error in the line:

   $order = if(empty($order_by)){echo 'manufacturer';}else{echo '$order_by';

Cannot find a way to do this ... Any idea?

解决方案

First, set a default value for order by.

$order = 'manufacturer';

Next, if the user has provided something else, replace the default value with that.

if (!empty($_GET['order_by'])) {
    $order = mysqli_real_escape_string($database, $_GET['order_by']);
}

Then you can use whatever it ends up being in your query.

$set_order = mysqli_query($database, "SELECT * FROM `products` order by `$order` ASC");

It is definitely good that you're using mysqli_real_escape_string here, but I would recommend checking the user input against a list of acceptable column names to mitigate the SQL injection risk.

这篇关于构建一个mysqli查询，并按页面显示顺序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！