の場合、$ GETの場合は

Question

ここに、期待どおりに動作しているPHPコードの抜粋があります。

しかし、私はSQLクエリを変更したいです。 それぞれの第1、第2、第3の変数が設定されていない限り、内部結合b、c、d、eはクエリの一部であってはなりません。

$word_first=$_GET["first"]; 
$word_second=$_GET["second"]; 
$word_third=$_GET["third"]; 
$word_forth=$_GET["forth"]; 
$word_fifth=$_GET["fifth"]; 
$word_sixth=$_GET["sixth"]; 
$word_seventh=$_GET["seventh"]; 
$word_eighth=$_GET["eighth"]; 


$query="select id, word from toprint as a 
inner join syl as b on b.word_id = a.id and b.char_id = '1' AND b.mychar LIKE '%".$word_first. "%' 
inner join syl as c on c.word_id = a.id and c.char_id = '2' AND c.mychar LIKE '%".$word_second. "%' 
inner join syl as d on d.word_id = a.id and d.char_id = '3' AND d.mychar LIKE '%".$word_third. "%' 
inner join syl as e on e.word_id = a.id and e.char_id = '4' AND e.mychar LIKE '%".$word_forth. "%' 
inner join syl as f on f.word_id = a.id and f.char_id = '5' AND f.mychar LIKE '%".$word_fifth. "%' 
inner join syl as g on g.word_id = a.id and g.char_id = '6' AND g.mychar LIKE '%".$word_sixth. "%' 
inner join syl as h on h.word_id = a.id and h.char_id = '7' AND h.mychar LIKE '%".$word_seventh. "%' 
inner join syl as i on i.word_id = a.id and i.char_id = '8' AND i.mychar LIKE '%".$word_eighth. "%' 
limit 2000"; 

Answer 1

<?php 

$word_fifth=mysql_real_escape_string($_GET["fifth"]); 
$word_sixth=mysql_real_escape_string($_GET["sixth"]); 
$word_seventh=mysql_real_escape_string($_GET["seventh"]); 
$word_eighth=mysql_real_escape_string($_GET["eighth"]); 


$query="select id, word from toprint as a"; 
if(isset($_GET["first"])) 
{ 
$query.="inner join syl as b on b.word_id = a.id and b.char_id = '1' AND b.mychar  LIKE '%".mysql_real_escape_string($_GET["first"]). "%' "; 
} 
if(isset($_GET["second"])) 
{ 
$query.="inner join syl as c on c.word_id = a.id and b.char_id = '1' AND c.mychar LIKE '%".mysql_real_escape_string($_GET["second"]). "%' "; 
} 
if(isset($_GET["third"])) 
{ 
$query.="inner join syl as d on b.word_id = a.id and d.char_id = '1' AND d.mychar LIKE '%".mysql_real_escape_string($_GET["third"]). "%' "; 
} 
if(isset($_GET["forth"])) 
{ 
$query.="inner join syl as e on e.word_id = a.id and d.char_id = '1' AND e.mychar LIKE '%".mysql_real_escape_string($_GET["forth"]). "%' "; 
} 



$query.="inner join syl as f on f.word_id = a.id and f.char_id = '5' AND f.mychar LIKE '%".$word_fifth. "%' 
inner join syl as g on g.word_id = a.id and g.char_id = '6' AND g.mychar LIKE '%".$word_sixth. "%' 
inner join syl as h on h.word_id = a.id and h.char_id = '7' AND h.mychar LIKE '%".$word_seventh. "%' 
inner join syl as i on i.word_id = a.id and i.char_id = '8' AND i.mychar LIKE '%".$word_eighth. "%' 
limit 2000"; 

？>

Answer 2

フォームを管理している場合は、私が見えるようにフィールドを変更することをお勧め：無限であることに加え

foreach($_GET['word'] as $number => $value) { 
    $table = 'syl' . intval($number); 
    $query .= 'INNER JOIN syl AS ' . $table . ' ON a.id = ' . $table . '.id AND ' . $table . '.char_id = '. intval($number) . ' AND ' . $table . ".mychar LIKE '%" . mysql_real_escape_string($value) . "%'"; 
} 

：あなたは、単に行うことができ、あなたのPHPに続いて

<input type="..." name="word[2]" /> 

拡張性があり、コードも非常に少なくなっています。

mysql_real_escape_stringを含めることを忘れないでください。それがなければ、訪問者はあなたが望む任意の任意のSQLを注入することができます。