使用文本框和复选框进行高级搜索

I'm having trouble getting my "Advanced Search" functionality of my website working. Essentially, its an advanced search for musicians (city, name members, zip by text box and genre by checkboxes). Here is code on the "Advanced Search" php page...

<form method="post" action="advsearchresults.php">
<div class="control-group">
    <div class="controls span4">
    <label>City</label>
        <input type="text" name="advCity" placeholder="Ex: San Marcos..." />
    <label>Zip Code</label>
    <input type="text" name="advZip" placeholder="Ex: 78666..." />
    <label>Band Name</label>
        <input type="text" name="advBand" placeholder="Ex: Catchy Band Name..." />
    <label>Band Member Name</label>
        <input type="text" name="advMember" placeholder="Ex: Steve Stevenson..." />
</div>
<div class="controls span2"><br/><br/><br/>
    <label class="checkbox">
        <input type="checkbox" name="check_list[]" value="Blues"> Blues
    </label>
    <label class="checkbox">
        <input type="checkbox" name="check_list[]" value="Classical"> Classical
    </label>
    <label class="checkbox">
        <input type="checkbox" name="check_list[]" value="Comedy"> Comedy
    </label>
    <label class="checkbox">
    <input type="checkbox" name="check_list[]" value="Country"> Country
    </label>
    ...
    ...
    </div>
    <div class="span12">
        <center>
        <input type="submit" class="btn btn-info" value=" Advanced Search ">
    </div>
    ...

And here is the "Advanced Search Results" page...

...
<?php
$advCity = $_POST['advCity'];
$advZip = $_POST['advZip'];
$advBand = $_POST['advBand'];
$advMember = $_POST['advMember'];
$check = $_POST['check_list'];
?>
...

<?php
if(isset($_POST['check_list']) && is_array($_POST['check_list'])){
    foreach($_POST['check_list'] as $check) {
        $genreQuery = "SELECT profile.PROFILE_GENRE, profile.PROFILE_BANDNAME
        FROM profile INNER JOIN band ON profile.PROFILE_PROFILEID = band.BAND_PROFILEID
        INNER JOIN bandmember ON band.BAND_BANDID = bandmember.BANDMEMBER_BANDID
        WHERE band.BAND_CITY = '$advCity' OR profile.PROFILE_GENRE = '$check' 
        OR band.BAND_ZIP = '$advZip' OR profile.PROFILE_BANDNAME = '$advBand' 
        OR bandmember.BANDMEMBER_NAME = '$advMember'";              
    $result = mysql_query($genreQuery) OR die(mysql_error());
    $num=mysql_numrows($result);
    mysql_close();
if ($num > 0){
    ?>
    <table class="table table-hover span8" method="post" action="bandpage.php">
    <thead>
    <tr>
        <th>Genre</th>
        <th>Band Name</th>
    </tr>
    </thead>
    <?php
        $i = 0;
        while ($i < $num) {
            $GENRE = mysql_result($result,$i,"profile.PROFILE_GENRE");
            $BANDNAME = mysql_result($result,$i,"profile.PROFILE_BANDNAME");
    ?>
    <tbody>
    <tr>
    <td><?php echo $GENRE; ?></td>
    <td><a href="bandpage.php" name="band"><?php echo $BANDNAME; ?>
    </a></td></tr</tbody>
    <?php
        $i++;               
        }
        }
else {
?>  
    <table class="table span8">
    <thead>
        <tr>
        <th>No musicians available for the city: <?php echo $advCity ?></th>
        </tr>
    </thead>
    </table>
<?php
    }
    }
    }
?>

The search results don't show up at all, rather random table data is shown. Any help is much appreciated!

Formatted SQL:

SELECT
    profile.PROFILE_GENRE,
    profile.PROFILE_BANDNAME
FROM
    profile
    INNER JOIN band       ON profile.PROFILE_PROFILEID = band.BAND_PROFILEID
    INNER JOIN bandmember ON band.BAND_BANDID          = bandmember.BANDMEMBER_BANDID
WHERE
    band.BAND_CITY             = '$advCity' OR
    profile.PROFILE_GENRE      = '$check' OR
    band.BAND_ZIP              = '$advZip' OR
    profile.PROFILE_BANDNAME   = '$advBand' OR
    bandmember.BANDMEMBER_NAME = '$advMember'

Your SQL is executing all of the predicates regardless of their being set, so if a user does not explicitly provide a value for $advBand then it will have the value of "" (the empty-string), which will still be included in your query. Because OR is commutative any row with an empty PROFILE_BANDNAME value will be returned.

There are two possible solutions: "Dynamic SQL" where you manually add the predicates, or you add a guard expression for each predicate. Dynamic SQL can be error-prone, so adding expressions to the WHERE is probably easier, it should look like this:

(this example uses the MySQL-specific field > '' syntax which is a fast way to peform a "is not null or empty" value comparison, it also uses MySQL parameters.

WHERE
    (:advCity   > '' AND band.BAND_CITY             = :advCity   ) OR
    (:check     > '' AND profile.PROFILE_GENRE      = :check     ) OR
    (:advZip    > '' AND band.BAND_ZIP              = :advZip    ) OR
    (:advBand   > '' AND profile.PROFILE_BANDNAME   = :advBand   ) OR
    (:advMember > '' AND bandmember.BANDMEMBER_NAME = :advMember )

Modifying the rest of your PHP to use MySQL parameters is an exercise for the reader :)