PHP 多条件动态查询数据库要怎么写

foreach ($_GET as $key => $value) { }

我会这么写

```
<?php

$params = $_GET;

if ($params) {
$where = '';
foreach ($params as $key => $value) {
if ($where == '') {
$where = "$key = $value";
} else {
$where .= "and $key = $value";
}
}

$sql = "SELECT * FROM table where " . $where;
}

```

代码相当之哇塞啊

SQL 注入了解一下。

完全过滤，等着被黑

别这么写，SQL 注入分分钟就没了，用个简单点的 ORM 吧

即的, 未

```
<?php

$One= isset($_GET['one']) ? filter_var($_GET['one']) : null;
$two = isset($_GET['two']) ? filter_var($_GET['two']) : null;
$three = isset($_GET['three']) ? filter_var($_GET['three']) : null;
$four = isset($_GET['four']) ? filter_var($_GET['four']) : null;

$wheres = [];
$params = [];

if($one !== null){
$wheres[] = "`one` = ?";
$params[] = $one;
}

if($two !== null){
$wheres[] = "`two` = ?";
$params[] = $two;
}

if($three !== null){
$wheres[] = "`three` = ?";
$params[] = $three;
}

if($four !== null){
$wheres[] = "`four` = ?";
$params[] = $four;
}

$sql = 'select * from `table`';

if($wheres){
$sql .= ' where '.implode(' and ', $wheres);
}

$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
$stmt = $mysqli->prepare($sql);

if($wheres){
$stmt->bind_param(implode('', array_fill(0, count($wheres), 's')), ...$params);
}

$stmt->execute();

```

你库没有了 /doge

<pre>
<?php
$One= addslashes($_GET['one']);
$two = addslashes($_GET['two']);
$three = addslashes($_GET['three']);
$four = addslashes($_GET['four']);
$where = '1 = 1';
if($one) $where .= " and `one` = '$none'";
if($two) $where .= " and `two` = '$two'";
$sql = "SELECT * FROM table whre ".$where;
</pre>
简单的过滤一下，

WHERE 后面加上 1=1 ，用 PDO ，遍历请求参数数组来实现多条件动态查询。

@spicy777 都是这么过来的嘛