在mySQL中构建动态WHERE子句

时间:2013-12-02 15:39:06

标签: php mysql where

我有这个代码,如果我只是想按办公室名称搜索,它的效果很好。但是,我需要能够通过“办公室和/或名字和/或姓氏”进行搜索,这三者的任意组合。

$firstName      = $_POST["firstName"];
$lastName       = $_POST["lastName"];
$officeName     = $_POST ["officeName"];

$query = "SELECT 
e.*,
e.id emp_id,
o.*
";
$query .= "FROM 
employee_data e,
office o,
employee_office_pivot p
"; 
$query .= "WHERE 
1=1
AND e.id=p.employee_id
AND p.office_id=o.id
AND o.office_name= '".$officeName."'
";

如何构建WHERE子句,以便它接受三列中的任何一列,如果它们为null,则为none。

谢谢, 理查德

3 个答案:

答案 0 :(得分:2)

这样的东西?

$query .= "WHERE 
    1=1
    AND e.id=p.employee_id
    AND p.office_id=o.id
    AND (o.office_name= '".mysqli_real_escape_string($officeName)."'
        OR o.office_name= '".mysqli_real_escape_string($firstName)."'
        OR o.office_name= '".mysqli_real_escape_string($lastName)."')
    ";

我在这里使用mysqli_real_escape_string()作为示例,您应该使用正确和必要的预防措施来避免系统中的SQL注入。

答案 1 :(得分:1)

您可以使用数组动态构建SQL:

/**
 *  The items you expect to receive from $_POST. I prefer defining these ahead of time - when feasible - 
 *  so that you can reference them without worrying about throwing an error if they are not set.
 */
$options = array_fill_keys(array('firstName', 'lastName', 'officeName'), false);
$post = array_merge($options, $_POST);
/**
 *  Your base SQL query.
 */
$sql = 'SELECT ...columns... FROM ...tables... WHERE 1 = 1';
$where = array();
/**
 *  If $_POST items are present, sanitize and create SQL
 */
if ( $post['firstName'] ) {
    $where[] = "employee_first_name = '".mysqli_real_escape_string($post['firstName'])."'";
}
if ( $post['lastName'] ) {
    $where[] = "employee_last_name = '".mysqli_real_escape_string($post['lastName'])."'";
}
if ( $post['officeName'] ) {
    $where[] = "office_name = '".mysqli_real_escape_string($post['officeName'])."'";
}
/**
 *  One or more $_POST items were found, so add them to the query
 */
if ( sizeof($where) > 0 ) {
    $sql .= ' AND '.implode(' AND ', $where);   
}

您可以使用相同的技术动态地向SQL添加列,连接表等。 (提示:使用数组构建整个 SQL语句。)您也可以非常轻松地修改它以使用AND和OR的组合。

答案 2 :(得分:0)

$values = array(
    'firstName'  => 'someFirstName',
    'lastName'   => 'someLastName',
    'officeName' => 'someOfficeName'
);

foreach( $values as $col => $val )
{
    $where .= "$key = '$balue' ";
}

虽然这是SQL注入漏洞。

相关问题
最新问题