I have this code below on a website, it was written by someone else. I understand that it is taking the information that was entered in (company) and if the entry is empty it takes the user to companies.php page. If it is not empty it takes the entry and looks it up in the table.
The Bit I really do not understand is after the else, $Where Section, in particular the %, I thought that was when you make a comment??
Hope someone can help?
Thanks :)
if ($_POST["Company"] == "")
{
header("Location: companies.php?page=1");
$Orders = "<div id='ErrorMessage'>Please enter a company name or partial company name to search the Credit Report Shop.</div>\n";
}
else
{
$WhereSection="";
if ($_POST["Company"])
$WhereSection .= "WHERE UPPER(Company) LIKE '%".strtoupper($_POST["C开发者_开发问答ompany"])."%'";
$Statement = "SELECT * from jos_companies
$WhereSection
ORDER BY Company ASC, LastReport DESC";
db_connect();
$rid=mysql_query($Statement);
$rcount=0;
}
The % is a wildcard used in a LIKE clause in a SQL WHERE statement. So if the value of company is 'ABC', LIKE '%ABC%' will match any value that contains 'ABC' either at the beginning, in the middle or at the end; LIKE 'ABC%' will match all values beginning with 'ABC' and LIKE '%ABC' will match all values ending in 'ABC'
And you should be escaping your $_POST fields before embedding them in SQL statements
The % is a wildcard character for the LIKE search.
So, for example, if the input was "don", then LIKE '%don%'
would match names like "McDonalds" and "Donlen", etc.
$WhereSection .= "WHERE UPPER(Company) LIKE '%".strtoupper($_POST["Company"])."%'";
If there is information in $_POST['Company']
then we'd like to filter the query to match the company name. LIKE '%text%'
will match for anything that has text in it. %
is a wildcard that matches anything.
UPPER()
is used to skip case sensitivity.
Good Luck
精彩评论