I'm trying to write a search function and am using multiple drop-down lists for search criteria.
i have a sql statement like
SELECT * FROM TABLE WHERE OFFICE='$office', NAME='$name', DEPARTMENT='$department';
Sometime I want to search with specific 'name' but without talking about 'department' and 'office'. But when I pass Blank '' to '$office' and '$department' it only return the person with no office and department. Is there anyway around to overcome it?
I tried to use '%' instead of blank but it didn't work as well.
I'm coding with php and MSSQL.
Thanks in Advance
If you want to work with wildcards, you dont need =, but LIKE. Unsure if this query works, but try it:
SELECT * FROM TABLE WHERE OFFICE LIKE '$office', NAME LIKE '$name', DEPARTMENT LIKE '$department';
Now you just have to check if the field is blank, if yes, replace it with a %. As i said, im unsure. I dont have a database availible at the moment for testing this.
for achieving this you have to write some php code like
$sql = "SELECT * FROM TABLE WHERE";
if(isset($office)){
$sql .= "OFFICE='$office',";
}
if(isset($name)){
$sql .= " NAME='$name',";
}
if(isset($department)){
$sql .= " DEPARTMENT='$department'";
}
You can easily do this as follow:
if(isset($office) && isset($department)){
$sql = "SELECT * FROM TABLE WHERE OFFICE='$office', NAME='$name', DEPARTMENT='$department'";
}
else{
$sql = "SELECT * FROM TABLE WHERE NAME LIKE '$name'";
}
mysql_query($connection, $sql);
Related
I tried to make a search system which uses the LIKE operator to search results based on what the user typed. I'm using it with strings. The problem is that it doesn't show any result.
I hope this also helps people with the same confusion as me...
Code:
"SELECT * FROM table WHERE name LIKE ' . $input . ';";
input is a PHP variable from what the user typed.
EDIT: Don't worry about SQL injection, it's all offline.
for the proper use of like you should use wildchar eg :
SELECT * FROM table WHERE name LIKE concat('%', ? ,'%') ;
and you should not use var inside SQL code .. you are at risk for sqlinjectiomn
for avoid this you should take a look at you db driver for prepared statement and binding param
eg for PDO
$st = $conn->prepare("SELECT * FROM table WHERE name LIKE concat('%', ? ,'%')");
$st->bindParam(1, $input, PDO::PARAM_STR, 255);
$st->execute();
Try This
$string = "input";
$sql = "select * from table where name like '%$string%'"
Create a variable and store value what you want to search
$where = "AND name like '%$string%'";
and put it after table name
$sql = "select * from table_name $where";
I have queried the database and got a list of database names that match my criteria. This is what I ran to get the information.
$sql = "SELECT DISTINCT tb.TABLE_SCHEMA
FROM
INFORMATION_SCHEMA.TABLES AS tb
INNER JOIN
INFORMATION_SCHEMA.TABLES AS tb2
WHERE tb.TABLE_NAME like '%OPTION%'
AND tb2.TABLE_NAME like '%USER%'";
$query = $handler->prepare($sql);
$query->execute();
$dbnames = $query->fetchAll(PDO::FETCH_COLUMN);
What I am trying to accomplish:
Now that I have the names, I need to run through each database so that I can get the list of websites, email of admin and user login. I know I can achieve this individually, but I am trying to do this dynamically with variables. The select statement below would run and give me my answer. However the prefix before the underscore in the FROM ysY6q8hmL7_options is different in each database.
SELECT option_value FROM `ysY6q8hmL7_options` WHERE `option_name` = 'home'
I tried this code but consistently get an error. How can I solve this problem. How can I run the queries dynamically without knowing the full name of each table. thank you.
foreach ($result as $val) {
$sql = "SELECT option_value FROM $val.%_options WHERE option_name = 'home'";
$query = $handler->prepare($sql);
$query->execute();
$dbnames = $query->fetchAll(PDO::FETCH_ASSOC);
printResultConsole($dbnames);
Your logic looks ok, but why do you have that percent sign in the table name ? That’s probably what is causing an error (whose message you should have shared, by the way).
Try this instead :
$sql = "SELECT option_value FROM " . $val . "_options WHERE option_name = 'home'";
I am having some difficulty running some SQL code.
What I am trying to do is, find a row that contains the correct username, and then get a value from that correct row.
This is my SQL in the php:
mysql_query("SELECT * FROM users WHERE joined='$username' GET name")
As you can see, it looks for a username in users and then once found, it must GET a value from the correct row.
How do I do that?
You need some additional PHP code (a call to mysql_fetch_array) to process the result resource returned by MySQL.
$result = mysql_query("SELECT name FROM users WHERE joined='$username'");
$row = mysql_fetch_array($result);
echo $row['name'];
mysql_query("SELECT `name` FROM users WHERE joined='$username' ")
Just select the right column in your 'select clause' like above.
Edit: If you are just starting out though, you might want to follow a tutorial like this one which should take you through a nice step by step (and more importantly up to date functions) that will get you started.
mysql_query("SELECT name FROM users WHERE joined='$username'")
$q = mysql_query("SELECT * FROM users WHERE joined='$username'");
$r = mysql_fetch_array($q);
$name = $r['user_name']; // replace user_name with the column name of your table
mysql_query("SELECT name FROM users WHERE joined='$username' ")
Read documentation : http://dev.mysql.com/doc/refman/5.0/en/select.html
I am trying to get some information from my table, but the query returns empty when I call it this way:
$varchar_string = mysqli_real_escape_string($link, $_GET['code']); //the code is b5KlL4znM in this scenario
mysqli_query($link, "SELECT * FROM table WHERE code = $varchar_string");
The string is alphanumeric, and is submitted by users, so I've escaped it before doing the query.
Now if I do this query
mysqli_query($link, "SELECT * FROM table WHERE code = 'b5KlL4znM'");
It works fine, but that's not very dynamic.
I didn't get many results when I searched for this issue, and I didn't manage to find the answer amongst those that seem relevant.
Do you perhaps need to put quotes around your string?
mysqli_query($link, "SELECT * FROM table WHERE code = '$varchar_string'");
You'll need to include the variable in quotations.
mysqli_query($link, "SELECT * FROM table WHERE code = '$varchar_string'");
I created a user defined sql query that doesn't work. Users are supposed to be able to enter search strings in an input field, submit then see the results of their search but everytime I enter a search for something that I know is in the database I get the unknown column "x" in "where clause" error message.
Would you please help me fix the problem? Here's the code that i wrote for it so far...
...
mysql_select_db("mydb", $c);
$search = $_POST['search'];
$rslt = mysql_query("SELECT * FROM mytable
WHERE 'mycolumn' RLIKE $search");
while($row = mysql_fetch_array($rslt))
{
echo $row['myrow'];
echo "<br />";
}
if (!$row)
{
die('uh oh: ' . mysql_error());
}
?>
Change the code to this:
1) Convert quotes to backticks around column name.
2) Surround $search with single qoutes to make it a string.
$rslt = mysql_query("SELECT * FROM mytable WHERE `mycolumn` RLIKE '{$search}'");
This helps for sure
just change the variable $search to be read as a string i.e $search
so it will be like this
$rslt = mysql_query("SELECT * FROM mytable WHERE mycolumn RLIKE '$search'");
I would like to add a few about security and performance.
It is unsafe to put user input (any GET, POST or cookie data) directly into the SQL query. This is a serious security issue called SQL injection. To avoid it, use mysql_real_escape_string() function.
Also, SELECT * FROM mytable ... is not a good practice. It is recommended to explicitly list all the columns needed even if they all are:
SELECT col1, col2, col3, col4, col5 FROM mytable ...