I am trying to $_GET some variables that a user may enter (busy making a basic web-server):
$users= strval($_GET['user']);
$price= intval($_GET['price']);
$productID= intval($_GET['productid']);
This is my query:
$query = "SELECT * FROM `table` WHERE `user` = '" . $user . "' AND `price` <= " . $price . " AND `productID` = " . $productID;
(something like this)
Given this theoretical link:
www.example.com/api.php?price=300
And don't use the rest of the GET (user and productID) will automatically be filled with either 0 or '' (int/string).
So I thought I could use an if statement:
if(price == 0){
// change the query without the price as WHERE
}
But what if I have combinations of price and productID or productID and user as variables.
What is the best way to handle this? Maybe it's a stupid question but I can't figure it out.
You can use combined IF statements to build the appropriate query using the variables if they are supplied (and ignoring them if not)
$query = "SELECT * FROM `table` WHERE 1"; // WHERE 1 means "return all rows from table"
if ( isset( $_GET['price'] ) ){ // Only if price variable is set
$query .= " AND price <= '{$_GET['price']}'"; // Restrict results by price
}
if ( isset( $_GET['user'] ) ){ // Only if user variable is set
$query .= " AND user LIKE '{$_GET['user']}'"; // Restrict results by user
}
if ( isset( $_GET['productID'] ) ){ // Only if user variable is set
$query .= " AND productID = '{$_GET['productID']}'"; // Restrict results by productID
}
You can use ternary operator to make query string correctly, concatenating price clause when it is set.
$query = "select * from table where user = $user" . ($price ? " AND price <= $price" : "") . " AND productID = $productID";
Your english is poor, we are brazilians o/
$users = $_GET['user'] || "";
$price = $_GET['price'] || 0;
$productID = $_GET['productid'] || 0;
$query = "SELECT * FROM table WHERE 1";
$query .= (isset($_GET['user'))?"AND user = '{$users}'";
$query .= (isset($_GET['price'))?"AND price <= '{$price}'";
$query .= (isset($_GET['productid'))?"AND productID = '{$productID}'";
In case you want to use the variables for something else. This sets the values to 0 or "" (empty string) if they aren't set in the $_GET data.
Related
I'm making a search filter on my events website. There are 3 drop down inputs: Location, event type, date.
When the user submits the search filter, the form posts values that changes the mysql query which will display different events on the user screen. I'm having trouble finding a flexible solution.
Right now my query is like this:
$filter = $database->prepared_query("SELECT * FROM onlineevent WHERE event_location = (?) AND event_type = (?) AND event_date = (?)", array($l, $t, $d));
How can I make $l retrieve ALL possible values for event_location? The same goes for $t and $d. I thought I could set $l to '*' but that doesn't work.
The problem now is if the user doesn't select a value for $l, and they do select a value for $t and $d, then the query doesn't work. I want to set the default value for each variable to bring all results for each condition.
So if the user doesn't select any filter and submits the form, the query I'm looking for would look something like this:
$filter = $database->prepared_query("SELECT * FROM onlineevent WHERE event_location = (?) AND event_type = (?) AND event_date = (?)", array(ALL, ALL, ALL));
The original version of Ali_k's answer was almost right, but made the mistake of including the whole clause as a parameter, rather than just the value. That would cause the whole clause to be seen as a string value, rather than as code with values within it.
The idea of building up the string gradually - and, crucially, only adding a clause if there's actually value specified in the search parameters - is correct though. You also need need to build up the parameter array separately at the same rate.
Here's a version which should actually execute correctly:
$sql = "SELECT * FROM onlineevent";
$sqlfilters = "";
$parameters = array();
if( !empty($l) ){
$sqlfilters .= " event_location = ?";
$parameters[] = $l;
}
if( !empty($t) ){
$sqlfilters .= ($sqlfilters != "" ? " AND" : "")." event_type = ?";
$parameters[] = $t;
}
if( !empty($d) ){
$sqlfilters .= ($sqlfilters != "" ? " AND" : "")." event_date = ?";
$parameters[] = $d;
}
if ($sqlfilters != "") sqlfilters = "WHERE ".$sqlfilters; //add a WHERE clause if needed
$sql .= $sqlfilters; //add the filters to the initial SQL
$filter = $database->prepared_query($sql, $parameters);
Maybe I'm misunderstanding you but aren't you just looking for:
$filter = $database->prepared_query("SELECT * FROM onlineevent")
OR
$filter = $database->prepared_query("SELECT * FROM onlineevent WHERE event_location IS NOT NULL AND event_type IS NOT NULL AND event_date IS NOT NULL")
Your question is not quite clear and it is also not clear how the prepare function works, but here is my suggestion:
$array = array();
$query_parms = '';
if( !empty($l) ){
$array[] = $l;
$query_parms .= 'event_location = (?)';
}
if( !empty($t) ){
$array[] = $t;
$query_parms .= count($array) > 1 ? 'AND event_type = (?)' : 'event_type = (?)';
}
if( !empty($d) ){
$array[] = $d;
$query_parms .= count($array) > 1 ? 'AND event_date = (?)' : 'event_date = (?)';
}
$filter = $database->prepared_query("SELECT * FROM onlineevent WHERE " . $query_parms, $array);
In PHP side I have to filter my query due to the parameters received from $_POST. So if the parameters are set, query has to filter results related to params, if not, query should omit the condition. What I want to do is just write one query to switch between 2 different condition
$name = $_POST['name']!="" ? $_POST['name'] :"" ;
$family = $_POST['family']!="" ? $_POST['family'] :"" ;
$country = $_POST['country']!="" ? $_POST['country'] :"" ;
$where[1] = $name!="" ? 'name LIKE "%%s%%"' :TRUE ;
$where[2] = $family !="" ? 'family LIKE "%%s%%"' :TRUE ;
$where[3] = $country !="" ? 'country LIKE "%%s%%"' :TRUE ;
$sql = "SELECT *
FROM {$tbl}
WHERE {$where[1]} AND {$where[2]} AND {$where[3]} AND
soft_delete IS NULL OR soft_delete < 1
";
$query = $wpdb->prepare($sql, $name, $family, $country);
$results = $wpdb->get_results($query);
What I want is if one of those parameters isn't set, query has not filter the query. for example, if just $name is set, query filter records according to name field and the other conditions must be true
It seems you need something like this:
$sql = "SELECT *
FROM {$tbl}
WHERE ";
if (!$where[1] && !$where[2] && !$where[3]) {
$sql .= "{$where[1]} AND {$where[2]} AND {$where[3]} AND";
}
$sql .= " soft_delete IS NULL OR soft_delete < 1";
I am using multiple queries and it's working fine, the only issue I am facing is that order by is not working. I tried some code like
$query = "SELECT id, name, reg_number, class, section FROM register where id IS NOT NULL ORDER BY `id` DESC";
it's working fine in phpmyadmin and giving me a proper result. But it's not working where I want to use it.
$query = "SELECT id, name, reg_number, class, section FROM register where id IS NOT NULL ";
if ( $name !="" ){
$query .= " AND `name` LIKE '".$name."%'"; // id is greater then
}
if ( $status !="" ){
$query .= " AND `status` LIKE '".$status."%'"; // id is greater then
}
if ( $id_from !="" ){
$query .= " AND id >= $id_from "; // id is greater then
}
if ( $id_to !="" ){
$query .= " AND id <= $id_to "; // id is shorter then
}
if ( $class !="" ){
$query .= " AND class IN($class)"; // Selecting class
}
if ( $section !="" ){
$query .= " AND section IN($section)"; // selecting section
}
$result = mysql_query($query);
I want to use order by in this query but order by is not working with this.
$query = "SELECT id, name, reg_number, class, section FROM register where id IS NOT NULL ORDER BY `id` DESC";
AND also used
$query = "SELECT id, name, reg_number, class, section FROM register where id IS NOT NULL ORDER BY id DESC";
I don't know what's the problem with my code.
Just add ORDER BY when finish your WHERE:
if ( $section !="" ){
$query .= " AND section IN($section)"; // selecting section
}
$query .= " ORDER BY id DESC";
$result = mysql_query($query);
I need your help with my website search functionality. I'm developing a members area wherein users can search other registered users based on certain criteria, or combination of criteria.
My problem now is how to build a dynamic mysql query to suit the need of each combination of search criteria, where the number of criteria is variable.
Normally, I can write with a pre-determined set of criteria using
WHERE param1 = '$param1'
AND param2 = '$param2'
AND param3 = '$param3'
How do I solve this problem?
If the issue is that you don't know which of the criteria the user will pick, but want to return results for "blank" criteria, you can use the following:
$criteria_1 = $_POST['criteria_1'];
$criteria_2 = $_POST['criteria_2'];
$criteria_3 = $_POST['criteria_3'];
if(!$criteria_1 && !$criteria_2 && !$criteria_1) {
echo "You must select at least one criteria!";
} else {
// Run query mentioned below and return results.
}
THe query would then look like:
SELECT * from mytable
WHERE
(criteria1 = '$criteria_1' OR '$criteria_1' = '') AND
(criteria2 = '$criteria_2' OR '$criteria_2' = '') AND
(criteria3 = '$criteria_3' OR '$criteria_3' = '')
This will treat any blank (non-selected) parameters as blank and ignore them. Be aware that with the above, if no criteria are given, it will return all results.
Another way to write the above is:
SELECT * from mytable
WHERE
criteria1 IN ('$criteria_1', '') AND
criteria2 IN ('$criteria_2', '') AND
criteria3 IN ('$criteria_3', '')
Again, allowing for no entry at all to return all criteria1 results.
Here's a generic example of what you're asking:
$query = "SELECT * FROM mytable";
if ($_POST['name'] == "Jack") {
$query .= " WHERE name = 'Jack'";
}
if ($_POST['name'] == "Bob") {
$query .= " WHERE name = 'Bob'";
}
if ($_POST['state'] != "") {
$query .= " AND state = '" . mysql_real_escape_string($state) . "'";
}
//So now, in total, your query might look like this
//"SELECT * FROM mytable WHERE name = 'Bob' AND state = '$state'"
$result = mysql_query($query);
You just add to your $query string with if statements, then execute the query once you've checked all $_POST variables.
I've seen queries like this, so that if you don't want to put in a value for a particular column, you pass in NULL for that column:
SELECT *
FROM users
WHERE param1 = :param1
UNION
SELECT *
FROM users
WHERE param2 = :param2
UNION
SELECT *
FROM users
WHERE param3 = :param3
This assumes that you'll have each column indexed and you're performing Boolean AND searches (and using PDO).
use your scripting language (php) to loop over the inputs...
then have a structure like this:
WHERE 1=1
then add your
AND paramx = '$px'
to it...
$criteria = array();
//Populate your criteria and parameter arrays with input from the web page here
...
// $criteria should now have stuff in it
$sql = "SELECT * FROM mytable ";//Or whatever your sql query is
$count = 0;
foreach ($criteria as $key => $parameter) {
if ($count == 0) {
$sql = $sql."WHERE ".$key." = ".$parameter;
} else {
$sql = $sql."AND ".$key." = ".$parameter;
}
$count++;
}
That said, this is highly vulnerable to sql injection attack. Try using PHP PDO
An option is also to build the query from php/asp or whatever you working with, like this
$param1 = (isset($searchParam1) ? "param1 = $searchParam2" : "1");
$param2 = (isset($searchParam2) ? "param2 = $searchParam2" : "1");
$param3 = (isset($searchParam3) ? "param3 = $searchParam3" : "1");
and the query would be like
SELECT ... WHERE $param1 $param2 $param3
would like to share this code to build dynamic mysql query with PHP
Thx & regards
$vocabulary = (($page == "vocabulary") ? "image_name <> ''" : "");
$groupcat = (($group != "") ? "group = $group" : "");
$var = array($vocabulary, $groupcat);
$counter = "0";
$param = "";
for ($i=0;$i<count($var);$i++)
{
if ($counter == "0" && $var[$i] != "" ) $param = "WHERE ";
if ($counter > "0" && $var[$i] != "" ) $param = " AND ";
if ($param != "")
{
$condition .= $param . $var[$i];
$param="";
$counter++;
}
}
echo "Condition : ". $condition;
I'm working at a search script at the moment, but I have a little problem. I'm using the following query:
mysql_query("SELECT * FROM boeken WHERE
titel LIKE '%".$titel."%' AND
categorie_id = '".$categorie."' AND
auteurs LIKE '%".$auteurs."%' AND
jaar_copyright = '".$jaar_copyright."'
AND ontwerp_groep = '".$ontwerp_groep."'");
For example, when I search for 'categorie_id' = '5', and leave the other fiels empty, I want to get every row that has categorie_id = 5. No matter what the other fields are.
What it does is the following: I get every row that has categorie_id = 5, but where the title is empty, where the 'jaar_copyright' is empty, etc. etc.
How can I fix this the way I want?
<?php
$query = "SELECT * FROM boeken WHERE";
$n = 0;
$makeAnd = "";
foreach($_POST as $key=>$value){
if($value != '' && $value != 'submit'){
if($n != 0){$makeAnd = " AND";}
if(!is_numeric($value)){
$query .= "$makeAnd `$key` LIKE '%$value%'";
} else {
$query .= "$makeAnd `$key` = '$value'";
}
$n++;
}
}
print $query;
?>
In this way you can filter out empty values. If other values are posted to $_POST make sure to filter them out in the "if($value !=" part.
Why not just build a query based on vars? That way they're not included in the query unless the var is populated. I don't know what your variables like $titel actually are, so I just say if they're not blank. This should obviously be set towhatever is applicable. Not null, isset, etc. and always escape with something like mysql_real_escape_string()
$titel_where = "";
if($titel != '')
$title_where = "AND titel LIKE '%".$titel."%'";
$auteurs_where = "";
if($auteurs_where != "")
$auteurs_where = "AND auteurs LIKE '%".$auteurs."%'";
$jaar_copyright_where = "";
if($jaar_copyright != '')
$jaar_copyright_where = "AND jaar_copyright = '".$jaar_copyright."'";
$ontwerp_groep_where = "";
if($ontwerp_groep != '')
$ontwerp_groep_where = "AND ontwerp_groep = '".$ontwerp_groep."'";
mysql_query("SELECT * FROM boeken WHERE
categorie_id = '".$categorie."'
$titel_where
$auteurs_where
$jaar_copyright_where
$ontwerp_groep_where
");
mysql_query("SELECT * FROM boeken WHERE
( '".$categorie."' = 5 AND
categorie_id = 5
) OR
( titel LIKE '%".$titel."%' AND
categorie_id = '".$categorie."' AND
auteurs LIKE '%".$auteurs."%' AND
jaar_copyright = '".$jaar_copyright."' AND
ontwerp_groep = '".$ontwerp_groep."'
)");
For each criteria, you need to add a second evaluation for a blank parameter value:
(categorie_id = '".$categorie."' OR '".$categorie."' = '') AND ...
This way you cover both cases of an empty or a populated parameter.
EDIT:
Sample query as it would appear in SQL.
Assume you pass in a $categorie of 5 and no other parameters:
SELECT * FROM boeken WHERE
(titel LIKE '%%' OR '' = '' )AND
(categorie_id = '5' OR '5' = '') AND
(auteurs LIKE '%%' OR '' = '') AND
...
If they get passed in as NULL then do a NULL comparison instead of an empty string comparison.
You should check what field is set in code, and then only add that part to your query. for instance:
if(isset($_POST['categorie_id'])){
$where = " categorie_id = '".$categorie."' ";
}elseif(...){
....
}
Well, you get the point, you can make it a bit neater probably, depending on the format of your form/POST etc, but that's the idea. Just figure out WHAT you know, and then push it in the SQL.
I'm at work, so no long stories possible, but you should be able to figure it out with this:
foreach($_POST as $key=>$item){
if($value != ''){
$yourField = $key;
$yourValue = $item;
}
}
//PERFORM SANITY CHECKS!
//MAYBE USE PDO etc? (but that's another thing)
//SAVE them in 2 new variables used below:
$query = "SELECT * FROM boeken WHERE `$sanitizedField` = '$sanitizedValue'";