接下來製作搜尋頁面作為之後多重條件搜尋時使用
<?php
require_once 'connecttest2.php';
echo "<html>";
echo "<head>";
echo "<meta charset='UTF-8'>";
echo "<style>";
echo "table,th,td {border:1px solid black; width:80%;text-align:center}";
echo "#h1,#h2,#h3,#h4,#h5,#h6,#h7 {width:15%}";
echo "</style>";
echo "</head>";
echo "</html>";
echo"<form action='bookstoresearch.php' method='post'>
ID:<input type='text' name='userid' value = ''>
作者:<input type='text' name='username' value = ''>
書名:<input type='text' name='userbookname' value = ''>
金額:<input type='text' name='usermin' value = ''> - <input type='text' name='usermax' value = ''>
<input type='submit' value='查詢'/>
</form>";
echo "<br>";
echo "<a href='bookstore.php'>回首頁</a>";
echo "<br>";
//
echo "<table>";
echo "<tr>";
echo "<td id ='h1'>編號</td>";
echo "<td id ='h2'>作者</td>";
echo "<td id ='h3'>書名</td>";
echo "<td id ='h4'>金額</td>";
echo "<td id ='h5'>時間</td>";
echo "</tr>";
//
if ( $_POST['userid'] ||$_POST['username']||$_POST['userbookname']||$_POST['usermin']||$_POST['usermax'] )//如果有輸入資料
{
echo"You POST ID : ";
echo $_POST["userid"];
echo"<br>";
echo"You POST NAME : ";
echo $_POST["username"];
echo"<br>";
echo"You POST BOOKNAME : ";
echo $_POST["userbookname"];
echo"<br>";
echo"You POST MIN : ";
echo $_POST["usermin"];
echo"<br>";
echo"You POST MAX : ";
echo $_POST["usermax"];
echo"<br>";
//透過POST有無訊息來決定SQL語句要接的參數,空值的話就模擬注入攻擊的方式帶入
if ( !empty($_POST['userid']) )
{
$userid2 = $_POST['userid'];
$userid3 = " '$userid2' ";
}else{
$userid3 = " '' or 1=1 ";
}
if ( !empty($_POST['username']) )
{
$username2 = $_POST['username'];
$username3 = "NAME LIKE '%$username2%'";
}else{
$username3 = " NAME LIKE '%%' ";
}
if ( !empty($_POST['userbookname']) )
{
$userbookname2 = $_POST['userbookname'];
$userbookname3 = "BOOKNAME LIKE '%$userbookname2%'";
}else{
$userbookname3 = " BOOKNAME LIKE '%%' ";
}
if ( !empty($_POST['usermin']) )
{
$usermin2 = $_POST['usermin'];
$usermin3 = "$usermin2";
}else{
$usermin3 = "0";
}
if ( !empty($_POST['usermax']) )
{
$usermax2 = $_POST['usermax'];
$usermax3 = "$usermax2";
}else{
$usermax3 = "10000000000000000000";
}
$sql="SELECT ID,NAME,BOOKNAME,CASH,DATETIME FROM bookstore WHERE ID = $userid3 && $username3
&& $userbookname3 && $usermin3 <= CASH && $usermax3 >= CASH ";
$result2 = $conn->prepare($sql);
$result2 ->execute();
while($row = $result2->fetch(PDO::FETCH_NUM))
{
echo "<tr>";
echo "<td id ='h1'>$row[0]</td>";
echo "<td id ='h2'>$row[1]</td>";
echo "<td id ='h3'>$row[2]</td>";
echo "<td id ='h4'>$row[3]</td>";
echo "<td id ='h5'>$row[4]</td>";
echo "</tr>";
}
}
//若$_POST['userid'],$_POST['username'],$_POST['userbookname'],$_POST['usermin'],$_POST['usermax']都沒有填值,則直接顯示出來
else{
//$result=mysqli_query($conn, "SELECT ID,NAME,BOOKNAME,CASH,DATETIME FROM bookstore ORDER BY ID DESC");
$sql = "SELECT ID,NAME,BOOKNAME,CASH,DATETIME FROM bookstore ORDER BY ID DESC";
$result = $conn->prepare($sql);
$result ->execute();
while($row = $result->fetch(PDO::FETCH_NUM))
{
echo "<tr>";
echo "<td id ='h1'>$row[0]</td>";
echo "<td id ='h2'>$row[1]</td>";
echo "<td id ='h3'>$row[2]</td>";
echo "<td id ='h4'>$row[3]</td>";
echo "<td id ='h5'>$row[4]</td>";
echo "</tr>";
}
}
echo "</table>";
?>
程式執行如下圖
搜尋作者名子裡面有D以及金額小於500的資料將其列出
留言列表
