PDO Prepared Statement and SQL LIKE multiple values

2018-07-03 15:50:06

I've got a search form where the user can search for a serial number or name of product.

Here's my code:

<?php
require_once "pdo_rothConn.php";

if (isset($_POST['searchText'])){

$sql = "SELECT m_ipdb, m_name FROM machine WHERE 'm_ipdb' LIKE :number OR 'm_name' LIKE :name";
$stmt = $dbh->prepare($sql);
$stmet->execute(array(
    ':number' => $_POST['searchText'],
    ':name' => $_POST['searchText']));

while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
 echo($row['m_ipdb']);
 echo($row['m_name']);
}
?>

<p>Search for a Machine</p>
 <form method="post">
 <table width="500" border="1">
 <tr>
  <td>Enter IPDB Number or Name:</td>
  <td><input name="searchText" type="text" id="searchText" /></td>
 </tr>
 <tr>
  <td colspan="2"><input type="submit" value="Search Database"></td>
  <td><a href="#">Cancel</a></p></td>
 </tr>
  </table>
  </form>
  </body>
  </html>

First, is there a more concise way I can write my SQL statement since the $_POST value I'm searching for is the same? I wasn't sure if there as an error in my SQL statement also with the multiple LIKE statements.

As of now the resulting page is coming up blank and not working at all. I thought of splitting the code into a page and processing page instead of a post-back page. I'm stuck. But I asked this question before I learned about PDO and prepared statements and got feedback to learn about prepared/parameterized statements. Is the resulting code properly protecting against SQL injection as well?

Thanks.

$ stmet->执行到$ stmt-> execute？

链接地址: http://www.djcxy.com/p/93774.html

上一篇: PHP：使用预准备语句进行注入保护

下一篇: PDO Prepared Statement和SQL LIKE多个值