I am trying to make a dynamic where clause. I am getting some array of check boxes in PHP as following code
$brand = array();
if(isset($_GET['brand']) && !empty($_GET['brand']))
$brand=$_GET['brand'];
$brand_str = implode("' , '",$brand);
}
MY SQL Query is
$sql="SELECT DISTINCT * FROM products WHERE brand IN('$brand_str')";
if brand is not defined it gives error or no row is fetched but its a simple problem can be solved using following approach.
MY approach:
I use a variable like 'flag_for_filter_brand' inside if statement that is if flag_for_filter_brand=1 the QUERY is
$brand = array();
$flag_for_filter_brand=false;
if(isset($_GET['brand']) && !empty($_GET['brand']))
$brand=$_GET['brand'];
$brand_str = implode("' , '",$brand);
$flag_for_filter_brand=true;
}
if(flag_for_filter_brand);
$sql="SELECT DISTINCT * FROM products WHERE brand IN('$brand_str')";
else
$sql="SELECT DISTINCT * FROM products;
MY PROBLEM:
But this is also a big problem because my code become so large because there are two three where clauses as below
$sql="SELECT DISTINCT * FROM products WHERE brand IN('$brand_str') and Quantity IN ($var2) and type IN($var3)";
how to solve this in a optimal way?
Any suggestion or help is appreciated
Put each of your WHERE conditions in an array. Then test whether the array contains anything.
$wheres = array();
if(isset($_GET['brand']) && !empty($_GET['brand']))
$brand=$_GET['brand'];
$brand_str = implode("' , '",$brand);
$wheres[] = "brand IN ('$brand_str')";
}
if(isset($_GET['quantity']) && !empty($_GET['quantity']))
$quant=$_GET['quantity'];
$quant_str = implode("' , '",$quant);
$wheres[] = "Quantity IN ('$quant_str')";
}
// Repeat this for other conditions
if (!empty($wheres)) {
$where_str = "WHERE " . implode(' AND ', $wheres);
} else {
$where_str = "";
}
$sql = "SELECT DISTINCT * FROM Products $where_str";
If you have lots of conditions, you can put the names of the fields in an array, and then make the first part of this answer into a loop:
$fields = array('brand', 'quantity', 'type', ...);
foreach ($fields as $field) {
if (!empty($_GET[$field])) {
$field_str = implode("' , '", $_GET[$field]);
$wheres[] = "$field IN ('$field_str')";
}
}
Put all parts of your WHERE condition in an array.
$where = array();
if(isset($_GET['brand']) && !empty($_GET['brand']))
$brand_str = implode("' , '", $_GET['brand']);
$where[] = "brand IN('$brand_str')";
}
...
then test if array is not empty
if (!empty($where)) {
$sql="SELECT DISTINCT * FROM products WHERE " . implode (' AND ', $where);
} else {
$sql="SELECT DISTINCT * FROM products";
}
Just use 1 as WHERE value:
$brandArray = $_GET['brand']; // with empty(), isset(), and other validation...
$quantityArray = $_GET['quantity']; // with empty(), isset(), and other validation...
$typeArray = $_GET['type']; // with empty(), isset(), and other validation...
$whereArray = array();
$whereArray['brand'] = !empty($brandArray) ? 'brand IN (' . implode(',', $brandArray) . ')' : 1;
$whereArray['quantity'] = !empty($quantityArray) ? 'quantity IN (' . implode(',', $quantityArray) . ')' : 1;
$whereArray['type'] = !empty($typeArray) ? 'type IN (' . implode(',', $typeArray) . ')' : 1;
$where = implode(' AND ', $whereArray);
if(flag_for_filter_brand);
$sql="SELECT DISTINCT * FROM products WHERE brand IN('$brand_str')";
else
$sql="SELECT DISTINCT * FROM products;
$sql = <<<SQL
SELECT
DISTINCT *
FROM
products
WHERE
$where
;
SQL>>>;
That's just one possibility to handle this. Actually this code should be separated infor classes and methods or at least to some functions.
One way would be to put the queries in a function and call that function inside your if
if(isset($_GET['brand']) && !empty($_GET['brand'])) {
$brand=$_GET['brand'];
$brand_str = implode("' , '",$brand);
if !empty($brand_str)
myQueries( $brand_str );
}
function myQueries( $brand_str ) {
// execute your queries
}
Another option is if your script is doing only that to exit if your string is empty.
if(isset($_GET['brand']) && !empty($_GET['brand'])) {
$brand=$_GET['brand'];
$brand_str = implode("' , '",$brand);
if empty( $brand_str )
exit;
}
myQueries( $brand_str );
Related
My PHP statement looks like this
$select_product= "SELECT * FROM `products` WHERE pro_name = '$page_name' and status = 'Active'";
$sql101=$dbconn->prepare($select_product);
$sql101->execute();
$wlvd101=$sql101->fetchAll(PDO::FETCH_OBJ);
foreach($wlvd101 as $rows101);
$product_id = $rows101->id;
// Gives me result of a sample id 101
Again I am another statement where I have fetched the ids of products from my cart. The statement looks like this:
$pidArr = array();
if(!empty($_SESSION['cart'])){
foreach($_SESSION['cart'] as $id=>$val)
{
$rate=$val['product_mrp'] * $val['qty'];
$total=$total+$rate;
$pidArr[] = $val['uid'];
$qtyArr[] = $val['qty'];
$webArr[] = $val['ppid'];
}
$all_cart_products = "'" . implode("','", $pidArr) . "'";
//echo $all_cart_products;
//It gives me a list of ids like this '100', '101', '102' etc
}
Now while using in_array, my statement is not working. The code looks like this:
$my_ids = $all_cart_products;
if (in_array("$product_id", $my_ids))
{
echo "Match Found";
}
else
{
echo "Match not found";
}
How to solve this problem?
This line $all_cart_products = "'" . implode("','", $pidArr) . "'" creates a string.
Which you then assign $my_ids = $all_cart_products; so $my_ids is also now a string.
Pass it $pidArr instead.
I'm having an issue preparing a SQL statement:
$statement = $conexion->prepare(
'SELECT * FROM celulares
WHERE (MARCA = :marca )
AND
(CATEGORIA = :categoria1 OR CATEGORIA = :categoria2 OR CATEGORIA = :categoria3)
AND
(CATEGORIA2 = :categoria1 OR CATEGORIA2 = :categoria2 OR CATEGORIA2= :categoria3)
AND
(CATEGORIA3 = :categoria1 OR CATEGORIA3 = :categoria2 OR CATEGORIA3 = :categoria3)');
Giving placeholders values with this:
$statement->execute(array(':categoria1' => $categoria1,
':categoria2' => $categoria2,
':categoria3' => $categoria3,
':marca' => $query
));
$query value may variate when my application begins depending on some results:
if ($entrada == "LG") {
if ($query == "") {
$query = "LG";
} else {
$query = $query . ' OR MARCA = "LG" ';
}
}
if ($entrada == "APPLE") {
if ($query == "") {
$query = "APPLE";
} else {
$query = $query . ' OR MARCA = "APPLE" ';
}
}
if ($entrada == "HUAWEI") {
if ($query == "") {
$query = "HUAWEI";
} else {
$query = $query . ' OR MARCA = "HUAWEI" ';
}
}
I tried a lot of things, but none of those worked out it returns an empty array, the only one who works was changing this line of my prepared statement:
WHERE (MARCA = :marca OR MARCA = :marca2 OR MARCA = :marca3 )
And as many "MARCA" as results, i think it's not the best way to do it
UPDATED:
Now trying with IN Statement in my Query (Thanks you all for helping me)
Now it looks like:
$marcas = array("LG", "HUAWEI"); (Static values for test)
$inQuery = implode(',', array_fill(0, count($marcas), '?'));
$statement = $conexion->prepare(
'SELECT * FROM celulares
WHERE (MARCA = IN (' . $inQuery . '))
AND
(CATEGORIA = :categoria1 OR CATEGORIA = :categoria2 OR CATEGORIA = :categoria3)
AND
(CATEGORIA2 = :categoria1 OR CATEGORIA2 = :categoria2 OR CATEGORIA2= :categoria3)
AND
(CATEGORIA3 = :categoria1 OR CATEGORIA3 = :categoria2 OR CATEGORIA3 = :categoria3)');
foreach ($marcas as $k => $marca) {
$statement->bindValue(($k+1), $marca);
}
$statement->bindValue(':categoria1', $categoria1);
$statement->bindValue(':categoria2', $categoria2);
$statement->bindValue(':categoria3', $categoria3);
$statement->execute();
Getting: Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: mixed named and positional parameters
Trying to fix it
You can simplify your query:
SELECT * FROM celulares
WHERE (MARCA = :marca )
AND (:categoria1,:categoria2,:categoria3)
IN (
(CATEGORIA,CATEGORIA2,CATEGORIA3),
(CATEGORIA,CATEGORIA3,CATEGORIA2),
(CATEGORIA2,CATEGORIA,CATEGORIA3),
(CATEGORIA2,CATEGORIA3,CATEGORIA),
(CATEGORIA3,CATEGORIA,CATEGORIA2),
(CATEGORIA3,CATEGORIA2,CATEGORIA)
)
This way you only pass in the categories once, and compare it against the six possible permutations of three categories.
That being said, this is a sign that your database is in very poor shape. Generally speaking having any kind of "column2", "column3" system is a sign that you need to restructure your database - the kind of queries you end up with, like the above, are only going to get worse.
Specifically, in this case, just adding CATEGORIEA4 would increase the amount of permutations you need to define from 6 to 24!!
EDIT: I completely missed the part about :marca and IN - I was too focussed on the bad state of the database with regard to categories, sorry!
Well, i fix it, probably it's not the best way to solve it but i have this now:
I fill array with entries from POST
$query = array();
$index = 0;
foreach ($_POST as $entrada) {
switch($entrada) {
case "SAMSUNG":
$query[] = "SAMSUNG";
break;
case "LG":
$query[] = "LG";
break;
case "APPLE":
$query[] = "APPLE";
break;
case "HUAWEI":
$query[] = "HUAWEI";
break;
}
}
$inQuery = str_repeat('?,', count($query) - 1) . '?';
Here's my new query: Problem was that i was mixing "?" with placeholders (:) which not is recommended
$statement = $conexion->prepare(
"SELECT * FROM celulares
WHERE ( MARCA IN($inQuery))
AND
(CATEGORIA = ? OR CATEGORIA = ? OR CATEGORIA = ?)
AND
(CATEGORIA2 = ? OR CATEGORIA2 = ? OR CATEGORIA2= ?)
AND
(CATEGORIA3 = ? OR CATEGORIA3 = ? OR CATEGORIA3 = ?)");
Then i bindValues like that
$c = 0;
foreach ($query as $q => $queries) {
$c++;
$statement->bindValue(($q+1), $queries);
}
$statement->bindValue($c+1, $categoria1);
$statement->bindValue($c+2, $categoria2);
$statement->bindValue($c+3, $categoria3);
$statement->bindValue($c+4, $categoria1);
$statement->bindValue($c+5, $categoria2);
$statement->bindValue($c+6, $categoria3);
$statement->bindValue($c+7, $categoria1);
$statement->bindValue($c+8, $categoria2);
$statement->bindValue($c+9, $categoria3);
$statement->execute();
$resultados = $statement->fetchAll();
I did many test with a lot of querys and it's working fine, probably it's a "dirty" solution but i'll continue learning
Thanks u all for helping me!
I have this HTML form which has so many fields that someone can use to query data from MySQL table using multiple conditions. The form has select boxes, text boxes and check boxes, and date inputs.
I have this function which is ineffective
public function search(Request $request)
{
// loop through the defined fields
foreach($this->fields as $field){
// if the field is set and not empty
if(is_array($request->get($field))){
foreach ($request->get($field) as $value) {
$this->conditions[] = "`$field` = '" . $value . "'";
}
} else {
if(isset($_POST[$field]) && $request->get($field) != '') {
$data = $request->get($field);
if($field == 'bf_ref_no'){
$data = is_numeric( substr($request->get($field), 0, 2) ) ? 'BF'.$request->get($field) : $request->get($field) ;
}
$this->conditions[] = "`$field` = '" . $data . "'";
}
}
}
// builds the query
$query = "SELECT invoices.id as inv_id, invoices.created_at as inv_date, invoices.amount_paid, invoices.amount, csv_data_final.* FROM csv_data_final
LEFT JOIN invoices ON invoices.parent_id = csv_data_final.id ";
// if there are conditions defined
if(count($this->conditions) > 0) {
// append the conditions
$query .= "WHERE " . implode (' AND ', $this->conditions); // you can change to 'OR', but I suggest to apply the filters cumulative
}
$results = DB::select( $query );
$borders = DB::table('borders')->orderBy('id', 'DESC')->get();
return view('track.track-withdata', compact('results', 'borders'));
}
This code doesn't work for dates using BETWEEN keyword.
I want to run search query where i have multiple where clause. and multiple depends upon the user argument.
for example i mean, Search may depend on 1 column, 2 column, 3 column or 6 column in my case, and i don't want to run if-elseif-else statement with all column probability. So, i have just built up below function, but i am stuck with and that comes in between multiple column search case. Below is my code :-
function listPlayer($player="player_guest", $group="group_guest",
$weapon="weapon_guest", $point="point_guest", $power="level_guest",
$status="status_guest") {
$lePlayer = (isset($player) && $player != "player_guest") ?
'player= '.$mysqli->real_escape_string($player).' and' : '';
$leGroup = (isset($group) && $group != "group_guest") ?
'group= '.$mysqli->real_escape_string($group).' and' : '';
$leWeapon = (isset($weapon) && $weapon != "weapon_guest") ?
'weapon= '.$mysqli->real_escape_string($weapon).' and' : '';
$lePoint = (isset($point) && $point != "point_guest") ?
'point= '.$mysqli->real_escape_string($point).' and' : '';
$lePower = (isset($power) && $power != "level_guest") ?
'level= '.$mysqli->real_escape_string($power).' and' : '';
$leStatus = (isset($status) && $status != "status_guest") ?
'status= '.$mysqli->real_escape_string($status).' and' : '';
$query = "Select pid, name from game where {$lePlayer} {$leGroup} {$leWeapon} {$lePoint} {$lePower} {$leStatus} ";
$runQuery = $mysqli->query($query);
}
but problem is and at the end. If i use them, than i have extra and at the end, and if i don't use them that's again an error.
Can some one help me to fix and find better way to do it.
Update: My Update Code that works if some one needs them Thanks to Barmar
function listPlayer($player="player_guest", $group="group_guest",
$weapon="weapon_guest", $point="point_guest", $power="level_guest",
$status="status_guest") {
$lePlayer = (isset($player) && $player != "player_guest") ?
'player= '.$mysqli->real_escape_string($player) : '' ;
$leGroup = (isset($group) && $group != "group_guest") ?
'group= '.$mysqli->real_escape_string($group) : '' ;
$leWeapon = (isset($weapon) && $weapon != "weapon_guest") ?
'weapon= '.$mysqli->real_escape_string($weapon) : '' ;
$lePoint = (isset($point) && $point != "point_guest") ?
'point= '.$mysqli->real_escape_string($point) : '' ;
$lePower = (isset($power) && $power != "level_guest") ?
'level= '.$mysqli->real_escape_string($power) : '' ;
$leStatus = (isset($status) && $status != "status_guest") ?
'status= '.$mysqli->real_escape_string($status) : '' ;
$condition_array = ( $lePlayer , $leGroup , $leWeapon , $lePoint , $lePower , $leStatus)
$condition_stirng = implode(' and ', $condition_array);
$query = "Select pid, name from game where ".$condition_stirng;
$runQuery = $mysqli->query($query);
}
Update:
I got mail from someone at my email which says my code is vulnerable to SQL Injection. Here it is POC http://www.worldofhacker.com/2013/09/interesting-sql-vulnerable-code-even.html
Thanks
Put all the conditions in an array. Then combine them with:
$condition_string = implode(' and ', $condition_array);
The simple solution is to trim the "and" off at the end:
$query = substr($query, 0, strlen($query) - 3);
however a more efficient way would be to put them in a loop, like this:
$wheres = array("player_guest"=>$player, "group_guest"=>$group.....);
$query_where = "";
$i = 0;
foreach($wheres as $where=>$value){
list($condition, $null) = explode("_",$where);
if(isset($value)){
$query_where .= $condition . "='" . $mysqli->real_escape_string($value)."'";
if($i != sizeof($wheres)){
$query_where .= " and ";
}
}
$i++;
}
This is extendable for any number of conditions, and doesnt require the extra string function at the end.
Notice the $defaults is needed to make sure your conditions work. A bit repetitive, but it's all due to your function declaration.
function listPlayer(
$player="player_guest",
$group="group_guest",
$weapon="weapon_guest",
$point="point_guest",
$power="level_guest",
$status="status_guest") {
//I'm just copying whatever is in the default parameters ;)
$defaults = array(
'player' => 'player_guest',
'group' => 'group_guest',
'weapon' => 'weapon_guest',
'point' => 'point_guest',
'power' => 'level_guest',
'status' => 'status_guest'
);
//Set all user parameters into an array, easier to loop through
$data = compact(array_flip($defaults));
//Then we build conditions
$conditions = array();
foreach($data as $k => $v) {
if ($defaults[k] !== $v) {
$v = $mysqli->real_escape_string($v);
$conditions[] = "$k='$v'";
}
}
//And build query
$query = "SELECT pid, name FROM game WHERE ".implode(" AND ", $conditions);
$runQuery = $mysqli->query($query);
}
First of all I recommend you to look at PDO when you work with MySQL in PHP.
Such tasks are always simply solved with array maps.
function listPlayer($player = null, $group = null, $weapon = null, $point = null, $power = null, $status = null) {
$defaults = array(
'player' => 'player_guest',
'group' => 'group_guest',
'weapon' => 'weapon_guest',
'point' => 'point_guest',
'status' => 'status_guest',
);
$values = compact(array_keys($defaults));
$filtered = array_filter(array_diff_assoc($values, $defaults)); //firstly filtering out defaults, then - nulls.
$where = '';
foreach($filtered as $column => $value){
if($where){
$where .= ' AND ';
}
$where .= sprintf("`%s` = '%s'", $column, $mysqli->real_escape_string($value));
}
$query = "SELECT pid, name FROM game WHERE $where";
//executing...
}
I want to fetch contents with multiple filters, right now there's only one.
For Example:
SELECT * FROM Table1 WHERE status=true AND category = 'Camera' AND
model = 'Samsung' AND type = 'New'
I want to create an array for it. But as I'm a newbie in this one not getting a lead.
function getAllRequests($filter){
if(empty($filter)){
$addfilter = '';
}else{
$addfilter = 'AND cat_id=' . $filter;
}
}
$sql = 'SELECT * FROM Table1 WHERE status=true' . $filter;
Any help will be appreciated.
This will get you closer to the solution, though it will not replace the cat_id in the query, which will certainly be wrong - though impossible to do too much more without the array structure:
function getAllRequests($filter)
{
$addfilter="";
if(!empty($filter))
{
foreach($filter as $val)
{
$addfilter. = ' AND cat_id=' . $val .'\'';
}
}
return $addFilter;
}
$myFilters=getAllRequests($filter);
$sql = 'SELECT * FROM Table1 WHERE status=true' . $myFilters;
On the other hand, if your array is strucutred in a way like this:
array{ category => camera, model => samsung); // etc
you could use the following:
function getAllRequests($filter)
{
$addfilter="";
if(!empty($filter))
{
foreach($filter as $key => $val)
{
$addfilter. = " AND `$key` = '$val'";
}
}
return $addFilter;
}
$myFilters=getAllRequests($filter);
$sql = 'SELECT * FROM Table1 WHERE status=true' . $myFilters;
Edit: You can loop through all the filters in the following manner:
function getAllRequests()
{
$addfilter="";
if(!empty($_REQUEST))
{
foreach($_REQUEST as $key => $val)
{
$addfilter. = " AND `$key` = '$val'";
}
}
return $addFilter;
}
$myFilters=getAllRequests();
$sql = 'SELECT * FROM Table1 WHERE status=true' . $myFilters;
You don't need to pass the $_REQUEST (which will work for both GET and POST) as it already a superglobal.
function getAllRequests($filter){
if(empty($filter)){
$addfilter = '';
}else{
$addfilter = 'AND cat_id=' . $filter;
}
}
$sql = 'SELECT * FROM Table1 WHERE status=true' . $addfilter;
You can use another approach, which is using optional parameters and it will make your WHERE clause dynamic as you want. In this approach you pass all parameters' values directly to the sql query which should look like so:
SELECT *
FROM Table1
WHERE 1 = 1
AND (#status IS NULL OR status = #statusParam)
AND (#category IS NULL OR category = #categoryParam)
AND (#model IS NULL OR model = #modelParam)
AND (#type IS NULL OR type = #typeParam)
Then If any of the parameters #statusParam, #categoryParam, #modelParam or #typeParam passed to the query with NULL values, then the comparison with the column holding that value will be ignored. I used the predicate 1 = 1, in case all the values passed to the query with all NULL values in the case all the WHERE clause will be ignored as it won't presented, since WHERE 1 = 1 always true and it will be like SELECT * FROM Table1.
use this
function getAllRequests($filter){
if(empty($filter)){
$addfilter = '';
}else{
$addfilter .= 'AND cat_id=' . $filter;
}
return $addfilter;
}
$sql = 'SELECT * FROM Table1 WHERE status=true' . getAllRequests($filter);
When you are sending array make sure it has indexes
$conditions = array('category' => 'Camera', 'model' => 'Samsung' , 'type' => 'New')
Now loop through it. in your else condition
foreach($conditions as $key =>$value){
$addfilter .= 'AND ' . $key . ' = ' . $value;
}