Im trying to create a php script that queries a database based on filter input from users
So essentially i want
select * from table where parent_id = '$filter_value'
However i want to apply a default value to $filter_value which will take effect if the user doesnt specify any filters, and will pull up all possible results.
I tried using * but it didnt work...
Two ways:
Compare the value to NULL
SELECT *
FROM table
WHERE ($filter_value IS NULL OR parent_id = '$filter_value')
Dynamically create the SQL based on whether $filter_value contains a value. If it does not, your query should simply be:
SELECT *
FROM table
Check if the filter variable is null, or just wrap your query in an if statement:
SELECT * FROM baz WHERE foo = :bar OR :bar IS NULL
It's not exactly what you asked, but it is very close and I think a better way. You can do something like this:
if ( empty( $filter_value ) === false ) {
select * from table where parent_id = '$filter_value'
} else {
select * from table
}
That is just an example, not good php syntax.
But the idea is that if you want to have different behaviours depending on something, then you should program it that way, for instance, with an if, that way, you know what happens in each case and control the situation, not depending on what mysql does with the empty value passed.
Ok, i tried just inserting a blank space as the default var value, as in
$filter_value = ''
Solved the problem :$
Related
I have a table filter feature in PHP club membership webpage. I made it so the user can filter the table and choose which members to display in a table. For example, he can choose the country or state where the member is from then hit display. I am using a prepared statement.
The problem is, I need to use wildcards to make the coding easier. How do I use a wildcard in PHP MySQL query? I will use wildcards for example if the user does NOT want specific country but instead he wants to display all members from all countries.
I know not specifying the WHERE country= will automatically select any countries but I already constructed it so each controls like the SELECT control for country already has a value like "CA" or "NY" and "*" if the user leaves that control under "All Countries". This value when submitted is then added to the query like:
$SelectedCountry = $_POST["country"];
sql .= " WHERE country=" . $SelectedCountry;
But the problem is using WHERE country=* doesn't seem to work. No errors, just doesn't work. Is "*" the wildcard in PHP MySQL?
The * is not a wildcard in SQL when comparing with the = operator. You can use the like operator and pass a % to allow for anything.
When doing this the % should be the only thing going to the bind. $Bind_country = "'%'"; is incorrect because the driver is already going to quote the value and escape the quotes. So your query would come out as:
WHERE country ='\'%\''
The = also needs to be a like. So you want
$bind_country = '%';
and then the query should be:
$sql = 'select * from table where country like ?';
If this were my application I would build the where part dynamically.
Using * in WHERE clause is not right. You can only give legit value. For example:
// looking for an exact value
SELECT * FROM table WHERE column = 'value'
// you can also do this when looking for an exact value
// it works even if your $_POST[] has no value
SELECT * FROM table WHERE column = 'value' OR '$_POST["country"]' = ''
// looking for a specific or not exact value
// you can place % anywhere in value's place
// % denotes the unknown characters of the value
// it works also even if your $_POST[] has no value
// results will not be the same when you're using AND or OR clause
SELECT * FROM table WHERE column LIKE '%val%'
I think below link can solve your problem.
Just have a look and choose what you need.
Thanks.
http://www.w3schools.com/sql/sql_wildcards.asp
I've this code:
public function getAllAccess(){
$this->db->select('accesscode');
$this->db->where(array('chain_code' => '123');
$this->db->order_by('dateandtime', 'desc');
$this->db->limit($this->config->item('access_limit'));
return $this->db->get('accesstable')->result();
}
I need to join it with another table (codenamed table), I've to tell it this. Not really a literal query but what I want to achieve:
SELECT * accesscode, dateandtime FROM access table WHERE chain_code = '123' AND codenames.accselect_lista != 0
So basically accesstable has a column code which is a number, let us say 33, this number is also present in the codenames table; in this last table there is a field accselect_lista.
So I have to select only the accselect_lista != 0 and from there get the corrisponding accesstable rows where codenames are the ones selected in the codenames.
Looking for this?
SELECT *
FROM access_table a INNER JOIN codenames c ON
a.chain_code = c.chain_code
WHERE a.chain_code = '123' AND
c.accselect_lista != 0
It will bring up all columns from both tables for the specified criteria. The table and column names need to be exact, obviously.
Good start! But I think you might be getting a few techniques mixed up here.
Firstly, there are two main ways to run multiple where queries. You can use an associative array (like you've started to do there).
$this->db->where(array('accesstable.chain_code' => '123', 'codenames.accselect_lista !=' => 0));
Note that I've appended the table name to each column. Also notice that you can add alternative operators if you include them in the same block as the column name.
Alternatively you can give each their own line. I prefer this method because I think its a bit easier to read. Both will accomplish the same thing.
$this->db->where('accesstable.chain_code', '123');
$this->db->where('codenames.accselect_lista !=', 0);
Active record will format the query with 'and' etc on its own.
The easiest way to add the join is to use from with join.
$this->db->from('accesstable');
$this->db->join('codenames', 'codenames.accselect_lista = accesstable.code');
When using from, you don't need to include the table name in get, so to run the query you can now just use something like:
$query = $this->db->get();
return $query->result();
Check out Codeigniter's Active Record documentation if you haven't already, it goes into a lot more detail with lots of examples.
I would like to create some chaining filters that a user can use to narrow down a list of data from the database.
For instance, I have 5 filters types:
by date
by location
by type
by topic
by keyword
The user is free to use all, some or none of these filters at once.
My first impression is that I would have to store a variable with all the "AND's" and "OR's" of my WHERE clause stacked one after the other but it seems tedious as I may have to programmatically add/delete some filter types later.
Is there a way not to use the whole mysql data that I filter once with one huge request but rather chain the targeted requests that I can add/withdraw if necessary?
I mean, can I filter one after the other the result of each previous filtered result?
For instance, instead of doing this:
SELECT * FROM mytable WHERE (A=3 AND B=4 AND ((C>date1) OR (D<date2)) AND D LIKE '%sample%' )
Is it possible to do something that would achieve this idea:
request 1 = SELECT * FROM mytable WHERE A=3
request 2 = SELECT * FROM "result of request 1" WHERE B=4
request 3 = SELECT * FROM "result of request 2" WHERE C>date1 OR D<date2
request 4 = SELECT * FROM "result of request 3" WHERE E LIKE '%sample%'
The first approach is very hard to manage if the filters are meant to change over time while the second approach is just a matter of adding/withdrawing the desired filter to the chain.
Not to mention that the more filters you have, the more the first approach becomes unreadable and unmanageable.
This could be obtained in pure php if I decide to filter the data after retrieving the whole mysql table but is seems counter productive and more verbose while Mysql has all I need to filter the data directly and it seems useless to get the whole data from Mysql when I only need part of it at the end.
Thank you for your help.
I like the first scenario better, I assume you're submitting a form to decide what to filter. The way I would go about making it scalable and easier to read, is just name the form fields the same as your DB fields. Then you can either keep an array containing the fields you want to use, or make a db call to check if a field is one you want to use in the filter. a simple example.
$filterFields = array('startDate'=>'>',
'endDate'=>'<',
'location'=>'=',
'keyword'=>'LIKE');
function buildQuery($filterFields, $mysqli)
{
$partCount = 0;
$query = "SELECT * FROM mytable WHERE ";
foreach($_POST as $key=>$value)
{
//is the field one we want to use? Does it contain a value?
if(in_array($key, array_keys($filterFields) && !empty($value))
{
if($partCount > 1)
$query .= ' AND ';
if($filterFields[$key] == 'LIKE')
$query .= " `".$key."` LIKE '%".mysqli->real_escape_string($value)."%' ";
else
$query .= " `".$key."` ".$filterFields[$key]." '".mysqli->real_escape_string($value)."' ";
++$partCount;
}
}
return $query;
}
Hopefully that makes sense. If that's not doing what you want or you need clarification, let me know. Also this is not tested, just wrote it here.
Hi there i am working on PHP code that is selecting columns from two tables.
Here is my code:
$result2 = mysql_query("SELECT *
FROM `videos`, `m_subedvids`
WHERE `videos.approved`='yes' AND
`videos.user_id`='$subedFOR'
ORDER BY `videos.indexer`
DESC LIMIT $newVID");
while($row2 = mysql_fetch_array($result2))
{
$indexer = addslashes($row2['videos.indexer']);
$title_seo = addslashes($row2['videos.title_seo']);
$video_id = addslashes($row2['videos.video_id']);
$title = addslashes($row2['videos.title']);
$number_of_views = addslashes($row2['videos.number_of_views']);
$video_length = addslashes($row2['videos.video_length']);
}
When i try to print $indexer with echo $indexer; it's not giving me any results.
Where is my mistake in this code?
It seems to me like the key 'indexer' isn't in your results. It's hard to tell, since you haven't listed a definition for your table and you're using SELECT * so we can't see the names.
It makes the program easier to read later, if instead of SELECT *..., you use SELECT col1, col2, .... Yes, SELECT * will save you some typing right now, but you'll lose that time later when you or anyone else who works on your code has to check the table definition every time they work with that line of code.
So, try changing your query to explicitly select the columns you use. If it's an invalid column you'll get an error right away rather than this silent failure you're getting now, and you'll thank yourself later as well.
So long as videos.indexer is a unique field name among all tables used in the query you can change
$indexer = addslashes($row2['videos.indexer']);
to
$indexer = addslashes($row2['indexer']);
You don't need to (or can not) use the table name when referring to the result.
I have a function that I use called sqlf(), it emulates prepared statements. For instance I can do things like:
$sql = sqlf("SELECT * FROM Users WHERE name= :1 AND email= :2",'Big "John"','bj#example.com') ;
For various reasons, I cannot use prepared statements, but I would like to emulate them. The problem that I run into is with queries like
$sql = sqlf("SELECT * FROM Users WHERE id IN (:1)",array(1,2,3) );
My code works, but it fails with empty arrays, e.g. the following throws a mysql error:
SELECT * FROM Users WHERE id IN ();
Does anyone have any suggestions? How should I translate and empty array into sql that can be injected into an IN clause? Substituting NULL will not work.
Null is the only value that you can guarantee is not in the set. How come it is not an option? Anything else can be seen as part of the potential set, they are all values.
I would say that passing an empty array as argument for an IN() clause is an error. You have control over the syntax of the query when calling this function, so you should also be responsible for the inputs. I suggest checking for emptiness of the argument before calling the function.
Is there a possibility that you could detect empty arrays withing sqlf and change the SQL to not have the IN clause?
Alteratively, you could postprocess the SQL before passing it to the "real" SQL executor so that "IN ()" sections are removed although you'd have to do all sorts of trickery to see what other elements had to be removed so that:
SELECT * FROM Users WHERE id IN ();
SELECT * FROM Users WHERE a = 7 AND id IN ();
SELECT * FROM Users WHERE id IN () OR a = 9;
would become:
SELECT * FROM Users;
SELECT * FROM Users WHERE a = 7;
SELECT * FROM Users WHERE a = 9;
That could get tricky depending on the complexity of your SQL - you'd basically need a full SQL language interpreter.
If your prepare-like function simply replaces :1 with the equivalent argument, you might try having your query contain something like (':1'), so that if :1 is empty, it resolves to (''), which will not cause a parse error (however it may cause undesirable behavior, if that field can have blank values -- although if it's an int, this isn't a problem). It's not a very clean solution, however, and you're better off detecting whether the array is empty and simply using an alternate version of the query that lacks the "IN (:1)" component. (If that's the only logic in the WHERE clause, then presumably you don't want to select everything, so you would simply not execute the query.)
I would use zero, assuming your "id" column is a pseudokey that is assigned numbers automatically.
As far as I know, automatic key generators in most brands of database begin at 1. This is a convention, not a requirement (auto-numbered fields are not defined in standard SQL). But this convention is common enough that you can probably rely on it.
Since zero probably never appears in your "id" column, you can use this value in the IN() predicate when your input array is empty, and it'll never match.
The only way I can think to do it would be to make your sqlf() function scan to see if a particular substitution comes soon after an "IN (" and then if the passed variable is an empty array, put in something which you know for certain won't be in that column: "m,znmzcb~~1", for example. It's a hack, for sure but it would work.
If you wanted to take it even further, could you change your function so that there are different types of substitutions? It looks like your function scans for a colon followed by a number. Why not add another type, like an # followed by a number, which will be smart to empty arrays (this saves you from having to scan and guess if the variable is supposed to be an array).