I have some code but I want it to ignore 'customer::$data['vehicle_id']' when category_id = 1, 4, 9.
I've struggled with the code below and to add another function is out of my capabilities, so any advice would be great. Thanks in advance.
If vehicle_id is not selected it works fine.
if (empty($_GET['manufacturer_id'])) {
$manufacturers_query = database::query(
"select distinct m.id, m.name from ". DB_TABLE_PRODUCTS ." p
left join ". DB_TABLE_MANUFACTURERS ." m on m.id = p.manufacturer_id ".
(!empty($_GET['category_id']) ? " left join " . DB_TABLE_PRODUCTS_TO_CATEGORIES . " pc on pc.product_id = p.id " : "").
(!empty(customer::$data['vehicle_id']) ? " left join " . DB_TABLE_PRODUCTS_TO_VEHICLES . " ptv on ptv.product_id = p.id " : "").
"where p.status
and manufacturer_id
". (!empty($_GET['category_id']) ? "and pc.category_id = " . (int)$_GET['category_id'] : "") ."
". (!empty(customer::$data['vehicle_id']) ? "and ptv.vehicle_id = " . (int)customer::$data['vehicle_id'] : "") ."
order by m.name asc;"
);
I've tried using this:
". (!empty(customer::$data['vehicle_id']) && (!empty($_GET['category_id']) || !array_intersect(array(1, 4, 9), $_GET['category_id'])) ? "and ptv.vehicle_id = " . (int)customer::$data['vehicle_id'] : "") ."
EDIT:
while($manufacturer = database::fetch($manufacturers_query)) {
$box_filter->snippets['manufacturers'][] = array(
'id' => $manufacturer['id'],
'name' => $manufacturer['name'],
'href' => document::ilink('manufacturer', array('manufacturer_id' => $manufacturer['id'])),
);
}
I have taken your rather messy code and refactored it so it is readable, maintainable and better in a lot of small and big ways. It's by no means perfect, but now it can be reasoned about.
I also eliminated the SQL Injection opportunities for you, but you still need to redesign your database::query() function so it accepts an array of parameters to be used with your sql query in a prepared statement execution. I used named placeholders in your query to make it readable.
Doing the refactor this way, allowed me to add a boolean flag I can set if your ignore condition is true ($_GET['category_id'] equals one of [1,4,9])
if (empty($_GET['manufacturer_id']))
{
$ignoreVehicleId = false;
$params = [];
$query = "select distinct m.id, m.name
from ${DB_TABLE_PRODUCTS} p
left join ${DB_TABLE_MANUFACTURERS} m on m.id = p.manufacturer_id ";
if( !empty($_GET['category_id'])
{
$query .= " left join ${DB_TABLE_PRODUCTS_TO_CATEGORIES} pc on pc.product_id = p.id ";
if(in_array($_GET["category_id"], [1,4,9]) // <--- This array should be better documented to not use MAGIC NUMBERS. What is 1,4 or 9?
{
$ignoreVehicleId = true;
}
}
if( $ignoreVehicleId === false && !empty( customer::$data['vehicle_id'])
{
$query .= " left join ${DB_TABLE_PRODUCTS_TO_VEHICLES} ptv on ptv.product_id = p.id ";
}
$query .= "where p.status and manufacturer_id ";
/*
* In the following two IF's named parameters for prepared statements are being used.
* You need to refactor the database::query() function to accept a params array.
* Read up on using prepared statements with mysqli_* or better, PDO.
*
* DO NOT BUILD QUERIES WITH VARIABLES ANY OTHER WAY!!!
*
* If you do you are asking to be pwned by someone using your less than secure
* practises to do SQL Injection.
*/
if( !empty($_GET['category_id'])
{
" and pc.category_id = :category_id ";
$params[":category_id"] = (int)$_GET['category_id'];
}
if( $ignoreVehicleId === false && !empty(customer::$data['vehicle_id'])
{
" and ptv.vehicle_id = :vehicle_id ";
$params[":vehicle_id"] = (int)customer::$data['vehicle_id'];
}
$query .= " order by m.name asc;"
$manufacturers_query = database::query($query, $params);
}
Related
I am trying to modify some PHP code that was created ages ago in Codecharge, to include a Group By clause in a MYSQL statement.
I have tested my MYSQL query and it works brilliantly in phpmyadmin. When I bring it in to the php page it kicks back an error because the WHERE and ORDER clauses are coded in separate locations, and then called in to the query string. Obviously, when the GROUP BY is left in the SQL it breaks because it is inserting it before the WHERE in the $this chain, so I need to figure out where I can insert the GROUP BY part of the code so it strings it all together in the proper order and the page loads as it should. Below is the 3 sections that pull together the SQL and clauses, and the webpage loads fine. I commented out by version of the SQL as it doesnt work properly without the GROUP BY.
//SetOrder Method #5-0FECF370
function SetOrder($SorterName, $SorterDirection)
{
$this->Order = "book_name";
$this->Order = CCGetOrder($this->Order, $SorterName, $SorterDirection,
"");
}
//End SetOrder Method
//Prepare Method #5-C6449552
function Prepare()
{
$this->wp = new clsSQLParameters($this->ErrorBlock);
$this->wp->AddParameter("1", "urlshow_id", ccsInteger, "", "", $this->Parameters["urlshow_id"], "", false);
$this->wp->Criterion[1] = $this->wp->Operation(opEqual, "ttb_books.show_id", $this->wp->GetDBValue("1"), $this->ToSQL($this->wp->GetDBValue("1"), ccsInteger),false);
$this->Where = $this->wp->Criterion[1];
}
//End Prepare Method
//Open Method #5-33D1EC54
function Open()
{
$this->CCSEventResult = CCGetEvent($this->CCSEvents, "BeforeBuildSelect");
$this->CountSQL = "SELECT COUNT(*) " .
"FROM (ttb_books INNER JOIN ttb_states ON " .
"ttb_books.state_id = ttb_states.state_id) INNER JOIN ttb_statuses ON " .
"ttb_books.status_id = ttb_statuses.status_id";
$this->SQL = "SELECT * " .
"FROM (ttb_books INNER JOIN ttb_states ON " .
"ttb_books.state_id = ttb_states.state_id) INNER JOIN ttb_statuses ON " .
"ttb_books.status_id = ttb_statuses.status_id ";
//$this->SQL = "SELECT ttb_books.book_id, ttb_books.book_name, ttb_books.show_id, ttb_states.state_name, COUNT(ttb_imgs.img_id) AS images " .
//"FROM (ttb_books INNER JOIN ttb_states ON ttb_books.state_id = ttb_states.state_id) " .
//"INNER JOIN ttb_statuses ON ttb_books.status_id = ttb_statuses.status_id " .
//"LEFT JOIN ttb_imgs ON ttb_books.book_id = ttb_imgs.book_id ";
$this->Group = "ttb_books.book_id, ttb_books.book_name, ttb_books.show_id, ttb_states.state_name";
$this->CCSEventResult = CCGetEvent($this->CCSEvents, "BeforeExecuteSelect");
$this->RecordsCount = CCGetDBValue(CCBuildSQL($this->CountSQL, $this->Where, ""), $this);
$this->query(CCBuildSQL($this->SQL, $this->Where, $this->Order));
$this->CCSEventResult = CCGetEvent($this->CCSEvents, "AfterExecuteSelect");
$this->MoveToPage($this->AbsolutePage);
}
//End Open Method
The original version of the code just lists all the book titles, and sorts by book name. My version also includes a COUNT, because I want to not only see all the book titles, but also a page count for each book in the list. Like I said, my new SQL works fine in phpmyadmin, and I'm sure it would on the page too if I could get the Grouping to work properly, too. Thank you for your help!
Ok, here is what I did. I stripped out the $this->Where part of the CCBuildSQL line, and put the WHERE directly in to the sql statement, which allowed me to use my GROUP BY and get the results I was looking for.
function Open()
{
$this->CCSEventResult = CCGetEvent($this->CCSEvents, "BeforeBuildSelect");
$this->CountSQL = "SELECT COUNT(*) " .
"FROM (ttb_books INNER JOIN ttb_states ON " .
"ttb_books.state_id = ttb_states.state_id) INNER JOIN ttb_statuses ON " .
"ttb_books.status_id = ttb_statuses.status_id";
$this->SQL = "SELECT ttb_books.book_id, ttb_books.book_name, ttb_books.owned, ttb_books.show_id, ttb_shows.show_name, ttb_states.state_name, COUNT(img_id) AS images " .
"FROM ttb_books " .
"INNER JOIN ttb_states ON ttb_books.state_id = ttb_states.state_id " .
"INNER JOIN ttb_statuses ON ttb_books.status_id = ttb_statuses.status_id " .
"INNER JOIN ttb_shows ON ttb_books.show_id = ttb_shows.show_id " .
"LEFT JOIN ttb_imgs ON ttb_books.book_id = ttb_imgs.book_id WHERE ttb_books.show_id=" . $this->Parameters["urlshow_id"] .
" GROUP BY ttb_books.book_id, ttb_books.book_name, ttb_books.owned, ttb_books.show_id, ttb_shows.show_name, ttb_states.state_name " ;
$this->CCSEventResult = CCGetEvent($this->CCSEvents, "BeforeExecuteSelect");
$this->RecordsCount = CCGetDBValue(CCBuildSQL($this->CountSQL, $this->Where, ""), $this);
$this->query(CCBuildSQL($this->SQL, "", $this->Order));
$this->CCSEventResult = CCGetEvent($this->CCSEvents, "AfterExecuteSelect");
$this->MoveToPage($this->AbsolutePage);
}
It looks like you're not in the IDE and directly altering the generated code. Go into the CodeCharge IDE, choose the control you want to modify, then create a Custom Code Event and put your adjusted SQL there.
http://docs.codecharge.com/studio50/html/index.html?http://docs.codecharge.com/studio50/html/ProgrammingTechniques/HowTo/CustomizingDataSource/ModifyOrderBy.html?toc
In the following example there is a base query. Other parameters can be dynamically added to complete the query.
However, my base query has no clause WHERE.
What is the best way to deal with it.
If I use in the base query, for example, WHERE 1 = 1, it seems to solve, but I have some doubts that is a correct solution.
$myQuery = "SELECT fr.oranges, fr.aplles, fr.bananas,
FROM fruits fr
LEFT JOIN countrys ct ON fr.id_fruit = ct.id_fruit";
if(!empty($countrys){
$myQuery .= " AND countrys = ? ";
}
if(!empty($sellers){
$myQuery .= " AND seller = ? ";
}
$myQuery .=" GROUP BY fr.id_fruit ORDER BY fr.fruit ASC";
Edited: I fixed a writing gap from $empty to empty.
The WHERE 1=1 is a simplistic hack that works well because it simplifies your code. There is a great post here which explains the performance implications of WHERE 1=1. The general consensus is it will have no effect on performance.
Also, slight note ($empty) is probably not a function you've defined. I think you want empty(). You could write it like this:
$myQuery = "SELECT fr.oranges, fr.aplles, fr.bananas,
FROM fruits fr
LEFT JOIN countrys ct ON fr.id_fruit = ct.id_fruit";
$where = [];
if(!empty($countrys){
$where[] = "countrys = ?";
}
if(!empty($sellers){
$where[] = "seller = ?";
}
if (!empty($where)) {
$myQuery .= " WHERE " . implode(" AND ", $where);
}
$myQuery .= " GROUP BY fr.id_fruit ORDER BY fr.fruit ASC";
You can use an array to control your SQL like this:
$where = [];
if(!$empty($countrys){
$where[] = " countrys = ? ";
}
if(!$empty($sellers){
$where[] = " seller = ? ";
}
if(count($where) > 0) {
$myQuery .= " WHERE ".implode('AND', $where);
}
I am trying to optimize some of my code and i believe i need an if/else or case to do this, however I think i would need php in the query to get it to work
here is the code I am trying to optimize
$sql = "SELECT value, COUNT(*) AS count
FROM sodsurvey LEFT OUTER JOIN age
ON sodsurvey.age_id = age.id
WHERE value IS NOT NULL AND office_id = " . $office_id . "
GROUP BY age_id; ";
if ($_SESSION['filteryear'] != 0 && $_SESSION['filtermonth'] != 0) {
$sql = "SELECT value, COUNT(*) AS count
FROM sodsurvey LEFT OUTER JOIN age
ON sodsurvey.age_id = age.id
WHERE value IS NOT NULL AND office_id = " . $office_id . "
AND year = " . $_SESSION['filteryear'] . " AND month = " . $_SESSION['filtermonth'] . "
GROUP BY age_id; ";
} else if ($_SESSION['filteryear'] != 0 || $_SESSION['filtermonth'] != 0) {
$sql = "SELECT value, COUNT(*) AS count
FROM sodsurvey LEFT OUTER JOIN age
ON sodsurvey.age_id = age.id
WHERE value IS NOT NULL AND office_id = " . $office_id . "
AND (year = " . $_SESSION['filteryear'] . " OR month = " . $_SESSION['filtermonth'] . ")
GROUP BY age_id; ";
}
and this is what I have tried to give you a rough idea of what I am trying to achieve
$filter = "";
if ($_SESSION['filteryear'] != 0 && $_SESSION['filtermonth'] != 0) {
$filter = "AND year = " . $_SESSION['filteryear'] . " AND month = " . $_SESSION['filtermonth'] . ""
} else if ($_SESSION['filteryear'] != 0 || $_SESSION['filtermonth'] != 0) {
$filter = "AND (year = " . $_SESSION['filteryear'] . " OR month = " . $_SESSION['filtermonth'] . ")"
}
$sql = "SELECT value, COUNT(*) AS count
FROM sodsurvey LEFT OUTER JOIN age
ON sodsurvey.age_id = age.id
WHERE value IS NOT NULL AND office_id = " . $office_id . "
CASE
WHEN ".isset($filter)." THEN ". $filter ."
END
GROUP BY age_id; ";
You can build up an array of filters depending on which values (year, month, etc) are set, and then combine them all into the WHERE clause. You don't need to worry about all the separate cases where both are set, or one are set, and so on.
I would also strongly echo the advice above that recommended looking into prepared statements, but this will hopefully get you on your way.
<?php
$office_id = 10;
$_SESSION['filteryear'] = 2016;
$_SESSION['filtermonth'] = 12;
$filters = [
"value IS NOT NULL",
"office_id = {$office_id}",
];
if ($_SESSION['filteryear']) {
$filters[] = "year = {$_SESSION['filteryear']}";
}
if ($_SESSION['filtermonth']) {
$filters[] = "month = {$_SESSION['filtermonth']}";
}
$sql = "
SELECT value, COUNT(*) AS count
FROM sodsurvey
LEFT JOIN age ON sodsurvey.age_id = age.id
WHERE " . implode(' AND ', $filters) . "
GROUP BY age_id;
";
The implode line combines each filter that's been set into a single WHERE clause.
is it valid to use PHP with a case in my attempt above?
No. PHP code cannot be part of your SQL query, however your PHP code can generate SQL query
In MySQL, I am trying to find a way to optimize my code
Just make your SQL code generated by PHP code based on all the conditions. You can easily concatenate strings being partions of your query conditionally.
I am producing an API that takes in certain parameters, carries out an algorithm and returns the results. As part of this process I have several different clauses that can go into the SQL statement based on what is sent to the API. This has produced many sections of this format:
if(isset($_GET['val'])) {
$sqljoin = " INNER JOIN b ON b.1=a.1 "
$sqlwhere = " WHERE b.2 = " . $_GET['val'];
}
$sql = "SELECT * FROM a " . $sqljoin . $sqlwhere;
Which was fine initially, but now I have approximately 6 different clauses going into it, both with a JOIN and a WHERE clause. Is there a better way of structuring this?
this may help you .
$sql = "SELECT * FROM a ";
$where = " WHERE 1=1 ";
if(isset($_GET['val'])) {
$sqljoin = " INNER JOIN b ON b.1=a.1 "
$sqlwhere = " AND b.2 = " . $_GET['val'];
}
if(isset($_GET['val2'])) {
$sqljoin2 = " INNER JOIN b2 ON b2.1=a.1 "
$sqlwhere2 = " AND b2.2 = " . $_GET['val2'];
}
$fullquery = $sql . $sqljoin . $sqljoin2 . $where . $sqlwhere . $sqlwhere2 ;
Some notes:
Your code is under sql injection vulnerability. you should escape your variables by
$_GET['val'] = mysql_real_escape_string($_GET['val']);
you should switch to PDO or MYSQLI.
So I have to add a WHERE query to this plugin I'm using for a reporting feature on a WordPress site. I have no time to do anything but add in another column and filter by the values in that column as there is not that much data to manage each update. The default value for the column I added is zero but I'll add new entries to represent years new people are added. However, when I filter based on the column value the whole query breaks and doesn't show up. I have no idea why. Here is the section involving its set up query displaying results.
<?php
$sql = "SELECT COUNT(*) FROM " . $wpdb->prefix . "presidentsreport_breakdown WHERE list_id = " . $atts['list_id'];
$total_breakdowns = $wpdb->get_var($sql);
$sql = "SELECT p.person_id, p.name, p.notes, p.school_year, b.breakdown_id, b.name as breakdown, b.description as breakdown_description FROM " . $wpdb->prefix . "presidentsreport_person p INNER JOIN " . $wpdb->prefix . "presidentsreport_breakdown b ON b.breakdown_id = p.breakdown_id INNER JOIN " . $wpdb->prefix . "presidentsreport_list l ON l.list_id = b.list_id";
$clean_where = " WHERE l.list_id = " . $atts['list_id'];
$where = "";
if($search != ''){
$where = " AND (p.name LIKE %s)";
$arg = '%' . $search . '%';
$args = array($arg);
}
$where = $wpdb->prepare($where, $args);
$order = " ORDER BY b.sort_order, b.breakdown_id, p.sort_name, p.name, p.person_id";
$results = $wpdb->get_results($sql . $clean_where . $where . $order);
?>
If I add anything in the variable $where it breaks the whole query. So if I add
<?php
$where = " WHERE p.school_year <= 2011";
?>
or
<?php
$where = " WHERE p.school_year = 0";
?>
Nothing will show up, For the last example if the default value is 0 everything should show up regardless. Thanks in advance for reading through!
Don't add WHERE to your variable. It is already assigned in $clean_where
$clean_where = " WHERE l.list_id = " . $atts['list_id'];
Here ------------^
You need to concatenate your addition parameters to the $where variable:
$where .= " AND p.school_year <= 2011";
There's no need of WHERE in where!