我在WP数据库中有一个名为WP\\U products的自定义表。它有标题为ID、SKU、Details和Page的列。我试图通过默认搜索框搜索此表,因此我已替换了搜索。包含以下代码的php文件。这是不工作,我不知道足够的PHP来修复它。有人能帮我解决这个问题吗?
<?php
/**
* Author:
* Created on:
*
* @package Neve
*/
function search_it() {
if ( is_search() && isset( $_GET[\'s\'] ) ) {
global $wpdb;
$address_table = $wpdb->prefix . "wp_products";
$search = $_GET[\'s\'];
$search = "%{$search}%";
$where = $wpdb->prepare( \'WHERE SKU LIKE %s OR Details LIKE %s OR Page LIKE %s\', $search, $search, $search );
$results = $wpdb->get_results( "SELECT * FROM {$address_table} {$where}" );
return $product;
}
return array();
}
$container_class = apply_filters( \'neve_container_class_filter\', \'container\', \'blog-archive\' );
get_header();
$cities = search_it();
if ( ! empty( $cities ) ) {
echo \'<h1>Catalogue Search Results:</h1>\';
foreach( $cities AS $city ) {
echo "<table width=\'100%\' align=\'center\' border=\'3px solid grey\'>";
echo "<tr>";
echo "<th style=\'background: #B9C9FE;\'>Part Number</th>";
echo "<th style=\'background: #B9C9FE;\'>Description</th>";
echo "<th style=\'background: #B9C9FE;\'>Page</th>";
echo "</tr>";
echo "<tbody>";
for ($i=$start;$i < $end ;++$i ) {
$results = $results[$i];
echo "<tr>";
echo "<td>$city->SKU</td>";
echo "<td>$city->description</td>";
echo "<td>$city->Page</td>";
echo "</tr>";
}
echo "</tbody>";
echo "</table>";
}
}
get_search_form();
?>
<?php
get_footer();
以下是更新的代码:
<?php
/*
Template Name: Search Page
*/
function search_it() {
$search = filter_input( INPUT_GET, \'s\', FILTER_SANITIZE_STRING );
if ( ! is_search() || empty( $search ) ) {
return array();
}
global $wpdb;
$address_table = $wpdb->prefix . \'products\';
$search = $wpdb->esc_like( $search );
$search = "%{$search}%";
$query = "SELECT * FROM {$wpdb->prefix}products WHERE SKU LIKE %s OR Details LIKE %s OR Page Like %s";
$query = $wpdb->prepare( $query, $search, $search, $search );
return $wpdb->get_results();
}
get_header();
$cities = search_it();
if ( ! empty( $cities ) ) {
echo \'<h1>Catalogue Search Results:</h1>\';
echo "<table width=\'100%\' align=\'center\' border=\'3px solid grey\'>";
echo "<tr>";
echo "<th style=\'background: #B9C9FE;\'>Part Number</th>";
echo "<th style=\'background: #B9C9FE;\'>Description</th>";
echo "<th style=\'background: #B9C9FE;\'>Page</th>";
echo "</tr>";
echo "<tbody>";
foreach( $cities AS $city ) {
echo "<tr>";
echo "<td>{$city->SKU}</td>";
echo "<td>{$city->Details}</td>";
echo "<td>{$city->Page}</td>";
echo "</tr>";
}
echo "</tbody>";
echo "</table>";
} else {
echo "<h1 class=\'page-title\'>";
printf( __( \'There are no search results for: %s\', \'shape\' ), \'<span>\' . get_search_query() . \'</span>\' );
echo ".</h1>";
$query;
}
get_search_form();
get_footer();
这里是print\\r($wpdb->prepare($query,$search,$search,$search));死亡输出:
SELECT * FROM wp_products WHERE SKU LIKE \'{feeb191b44038789f6b0c639a9f2fe6ff48090427c92513c8582b33a4cbf1c42}GASKET{feeb191b44038789f6b0c639a9f2fe6ff48090427c92513c8582b33a4cbf1c42}\' OR Details LIKE \'{feeb191b44038789f6b0c639a9f2fe6ff48090427c92513c8582b33a4cbf1c42}GASKET{feeb191b44038789f6b0c639a9f2fe6ff48090427c92513c8582b33a4cbf1c42}\' OR Page Like \'{feeb191b44038789f6b0c639a9f2fe6ff48090427c92513c8582b33a4cbf1c42}GASKET{feeb191b44038789f6b0c639a9f2fe6ff48090427c92513c8582b33a4cbf1c42}\'
以上是我运行此查询时得到的输出:
$query = "SELECT * FROM {$wpdb->prefix}products WHERE SKU LIKE %s OR Details LIKE %s OR Page Like %s";
最合适的回答,由SO网友:phatskat 整理而成
代码中有很多内容,所以我用一些注释重写了主函数。注释概述:
$address_table 是多余的,也可能不是您想要的,您只使用了一次这个变量,所以在查询中直接将它串联起来是安全的。此外,您使用$wpdb->prefix 扩展$address_table “到值”wp_wp_products,可能不是您想要的。我在代码中留下了一些注释,但您在最后的方法中不需要任何注释,只需使用$query.
提前返回
在条件失败时返回,而不是在条件通过时执行逻辑(即
is_search() && isset( $_GET[\'s\'] ) 块),使代码更具可读性。
正在转义输入我知道您正在使用$wpdb->prepare 最终,但在您计划使用输入时立即对其进行清理并没有坏处。这边,如果你通过$search 在以后的其他地方,它将有望比您的功能更安全。另请注意$wpdb->esc_like() 准备在中使用的搜索LIKE 条款
function search_it() {
// Sanitize user input early, especially if assigning to a variable like later.
$search = filter_input( INPUT_GET, \'s\', FILTER_SANITIZE_STRING );
// Early returns make your code more readable.
if ( ! is_search() || empty( $search ) ) {
return array();
}
global $wpdb;
/**
* Some things about `$address_table`:
* - You don\'t need double quotes if you\'re concatenating
* - You only use it in your query, see below where I incorporate it inline.
* - $wpdb->prefix is usually "wp_", so you\'re table comes out to "wp_wp_products" -
* I don\'t think that\'s what you want.
*/
$address_table = $wpdb->prefix . \'products\';
// Double quote would look like this:
// $address_table = "{$wpdb->prefix}products";
// https://codex.wordpress.org/Class_Reference/wpdb/esc_like
$search = $wpdb->esc_like( $search );
$search = "%{$search}%";
// Why not prepare the whole query"?
// Also, you don\'t even need $address_table
$query = "SELECT * FROM {$wpdb->prefix}products WHERE SKU LIKE %s OR Details LIKE %s OR Page Like %s";
$query = $wpdb->prepare( $query, $search, $search, $search );
return $wpdb->get_results();
}
如果你有任何问题,请告诉我。
Edit: 我不小心打了filter_validate 而不是filter_input
为了解决代码的第二部分,它看起来像for 循环正在使用$start 和$end, 尚未定义。你也不需要另一个循环,因为你已经在循环你的结果了。请尝试以下操作:
$cities = search_it();
if ( ! empty( $cities ) ) {
echo \'<h1>Catalogue Search Results:</h1>\';
echo "<table width=\'100%\' align=\'center\' border=\'3px solid grey\'>";
echo "<tr>";
echo "<th style=\'background: #B9C9FE;\'>Part Number</th>";
echo "<th style=\'background: #B9C9FE;\'>Description</th>";
echo "<th style=\'background: #B9C9FE;\'>Page</th>";
echo "</tr>";
echo "<tbody>";
foreach( $cities AS $city ) {
echo "<tr>";
echo "<td>{$city->SKU}</td>";
echo "<td>{$city->description}</td>";
echo "<td>{$city->Page}</td>";
echo "</tr>";
}
echo "</tbody>";
echo "</table>";
}
