基于一个查询中的三个可能条件的SQL SELECT

page = request.form.get("page") searchText = request.form.get("searchText") bookAttr = request.form.get("bookAttr") likesearchText = "%" + searchText + "%" # Search results fixed to 10 per page if bookAttr == "isbn": rows = db.execute("SELECT isbn, title, author, year FROM books WHERE isbn LIKE :isbn LIMIT :start OFFSET :off", {"isbn": likesearchText, "start": 10, "off": int(page) * 10}).fetchall() elif bookAttr == "title": rows = db.execute("SELECT isbn, title, author, year FROM books WHERE title LIKE :title LIMIT :start OFFSET :off", {"title": likesearchText, "start": 10, "off": int(page) * 10}).fetchall() else: rows = db.execute("SELECT isbn, title, author, year FROM books WHERE author LIKE :author LIMIT :start OFFSET :off", {"author": likesearchText, "start": 10, "off": int(page) * 10}).fetchall()

2条回答

网友

1楼 · 编辑于 2024-05-11 07:11:46

你可以这样做：

SELECT isbn, title, author, year
FROM books
WHERE isbn LIKE :isbn OR title LIKE :title OR author LIKE :author;

如果其中两个参数为NULL或空字符串，则该方法可以正常工作

网友

2楼 · 编辑于 2024-05-11 07:11:46

这实际上不是SQL解决方案。。。但是您是否考虑过动态设置value列？类似这样的（未测试）：

page = request.form.get('page')
searchText = request.form.get('searchText')
bookAttr = request.form.get('bookAttr')
# Avoid SQL injection vulnerability by checking the parameter value
if bookAttr != 'isbn' and bookAttr != 'title' and bookAttr != 'author':
    raise ValueError('Unsupported bookAttr: ' + bookAttr)
rows = db.execute('SELECT isbn, title, author, year FROM books WHERE '
                  + bookAttr
                  + ' LIKE :searchText LIMIT :start OFFSET :off',
                  {'searchText': '%' + searchText + '%', 'start': 10,
                  'off': int(page) * 10}).fetchall()

相关问题更多 >

编程相关推荐

热门问题

热门文章