-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathresults.php
63 lines (52 loc) · 1.76 KB
/
results.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<!DOCTYPE html>
<html>
<head>
<title>Book-O-Rama Search Results</title>
</head>
<body>
<?php
include('E:/laragon/pass/pass.php');
//create short variable names
$searchtype = $_POST['searchtype'];
$searchterm = trim($_POST['searchterm']);
if (!$searchtype || !$searchterm) {
echo '<p>You have not entered search details.<br />
Please go back and try again.<p>';
exit;
}
//whitelist the searchtype
switch ($searchtype) {
case 'Title':
case 'Author':
case 'ISBN':
break;
default:
echo '<p>That is not a valid search type. <br />
Please go back and try again.<p>';
exit;
}
$db = new mysqli($db_server, $db_user, $db_password, $db_name);
if ($db->connect_error) {
echo '<p>Error: Could not connect to database.<br />
Please try again.<p>';
exit;
}
//将查询模板与数据分开发送 防止SQL注入
$query = "SELECT ISBN, Author, Title, Price FROM Books WHERE $searchtype = ?"; //查询模板 ?代表占位符
$stmt = $db->prepare($query); //构造查询所需对象
$stmt->bind_param('s', $searchterm); //占位符替换 s表示字符串 i表示整数 b表示blob类型... 依据?的多少顺序传参
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($isbn, $author, $title, $price);
echo "<p>Number of books found: " . $stmt->num_rows . "</p>";
while ($stmt->fetch()) {
echo "<p><strong>Title: " . $title . "</strong>";
echo "<br />Author: " . $author;
echo "<br />ISBN" . $isbn;
echo "<br />Price: \$" . number_format($price, 2) . "</p>";
}
$stmt->free_result();
$db->close();
?>
</body>
</html>