I have 3 search boxes and the user can type information into any 3 or all 3 search boxes.
$user = $_POST['user'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$query = "SELECT user.user, user.firstname, user.lastname
FROM user WHERE type = 'Owner' AND user LIKE '%$user%'";
If the person was search all 3, how would I put these into it?
$query = "SELECT user.user, user.firstname, user.lastname
FROM user WHERE type = 'Owner' AND user LIKE '%$user%'
OR/AND type = 'Owner' AND fname LIKE '%$firstname%'
OR/AND type = 'Owner' AND lname LIKE '%$lastname%'";
This is what I have but does not work properly but I need something like OR/AND etce etc... Can someone please advise me how to do it? Thanks
This will combine the WHERE statements if values are given
$user = mysql_real_escape_string($_POST['user']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$where[] = "type='Owner'";
if(strlen($user) > 0){
$where[] = "user LIKE '%$user%'";
}
if(strlen($firstname) > 0){
$where[] = "firstname LIKE '%$firstname%'";
}
if(strlen($lastname) > 0){
$where[] = "lastname LIKE '%$lastname%'";
}
$query = "SELECT user.user, user.firstname, user.lastname
FROM user WHERE ". implode(' AND ', $where);
Related
I'm having issues with making a page where only band members can access their own band pages.
Each band in my band table has four columns $bandm1 $bandm2 $bandm3 and $bandm4.
I tried to make a script that drew the session username, and then drew the band_id from the url, and that was successful. but when i tried:
the script didn't work. is it a problem with my AND/OR statements?
EDIT:
here's my full code:
$user = $_SESSION['user_name'];
$get_user = "
select *
from users
where user_name = '$user'
";
$run_user = mysqli_query($con,$get_user);
$row=mysqli_fetch_array($run_user);
$user_name = $row['user_name'];
if(isset($_GET['band_id'])) {
$band_id = mysqli_real_escape_string($con, $_GET['band_id']);
if (ctype_alnum($band_id)){
$q = "SELECT * FROM bands WHERE band_id = '$band_id' ";
$r = mysqli_query($con, $q);
if($r){
while($row=mysqli_fetch_array($r)){
$band_id = $row['band_id'];
$band_name = $row['band_name'];
}
}
}
?>
FROM bands
WHERE band_id = '$band_id'
and (bandm1 = $user_name) OR (bandm2 = $user_name)
OR (bandm3 = $user_name) OR (bandm4 = $user_name)
it works, BUT when i replace the select with:
SELECT * FROM bands WHERE band_id = '$band_id' and (bandm1 = $user_name) OR (bandm2 = $user_name) OR (bandm3 = $user_name) OR (bandm4 = $user_name)";
it stops working
Try adding parentheses to your query:
SELECT * FROM bands WHERE band_id = '$band_id' and ( (bandm1 = $user_name) OR (bandm2 = $user_name) OR (bandm3 = $user_name) OR (bandm4 = $user_name) )
Edit :
You probably need some quotes around these variables, not sure how your script is built, but something like this :
$query = "SELECT * FROM bands WHERE band_id = '".$band_id."' and ( bandm1 = '".$user_name."' OR bandm2 = '".$user_name."' OR bandm3 = '".$user_name."' OR bandm4 = '".$user_name."' )";
Lets say the user only entered in an artist to search by, how do I get PHP to recognize that the user is only looking for an artist and should therefore setup a query only for the artist. The way I have currently done it works, but it is very ineffective when the user wants a variety of search options.
$artist = $_POST["artistSearch"];
$topic= $_POST["topicSearch"];
$date = $_POST["dateSearch"];
$title = $_POST["titleSearch"];
$artistLength = strlen($artist);
$topicLength = strlen($topic);
$dateLength = strlen($date);
$titleLength = strlen($title);
if ($artistLength>2 && $topicLength<2 && $dateLength<2 && $titleLength<2) {
$sql=("Select * FROM music WHERE artist = '$artist' ORDER BY date");
}
if ($artistLength>2 && $topicLength>2 && $dateLength<2 && $titleLength<2) {
$sql=("Select * FROM music WHERE artist = '$artist' AND topic = '$topic' ORDER BY date");
}
if ($artistLength>2 && $topicLength>2 && $dateLength>2 && $titleLength<2) {
$sql=("Select * FROM music WHERE artist = '$artist' AND topic = '$topic' AND date = '$date' ORDER BY date");
}
if ($artistLength>2 && $topicLength>2 && $dateLength>2 && $titleLength>2) {
$sql=("Select * FROM music WHERE artist = '$artist' AND topic = '$topic' AND date = '$date' AND title = '$title' ORDER BY date");
}
$result = mysqli_query($con,$sql);
Simple, you build up the query string in stages. Ignoring your sql injection attack vulnerability, and assuming that all options should be ANDed together, you can do something like:
$options = array();
if ($artist) {
$options[] = "artist = '$artist'";
}
if ($topic) {
$options[] = "topic = '$topic'";
}
etc...
$where_clause = implode(' AND ', $options);
$sql = "SELECT ... WHERE $where_clause";
I am trying to search from a table of employees from a form with 5 fields. The user can use any or all of the search fields with the following rules:
USERFORM (html/php)
EID: (textbox, exact match)
First name: (textbox, LIKE %fname%)
Last Name: (textbox, LIKE %lname%)
Email: (textbox, LIKE %email%)
Department: (dropdown, exact match)(includes a default value for not selecting amongst <options>)
The problem I am having is that when I search for firstname = %j%, it correctly filters to all employees with a firstname containing a j. However whenever I combine this with another or more search parameters it brings the maximum amount of results, rather than filtered minimum, for example firstname %j%, lastname, %b%. Will still return Joe bloggs, and joe coggs.
Same as if I were to add a department on there, I would like it to give me people with a j in their first name, a b in their last name who are a member of department 1. But instead then, it would give me all employees who are in the department regardless of the name search parameters, aswell as employees who are in another department bu have a j in their name.
And here is the query and other code:
$eid = $_POST['eid'];
$p_fname = $_POST['fname'];
$p_lname = $_POST['lname'];
$p_email = $_POST['email'];
$depid = $_POST['depid'];
if(empty($_POST['fname'])) { $fname = "";} else { $fname = "%$p_fname%"; }
if(empty($_POST['lname'])) { $lname = "";} else { $lname = "%$p_lname%"; }
if(empty($_POST['email'])) { $email = "";} else { $email = "%$p_email%"; }
$query = $db->prepare("SELECT `employees`.`eid`, `employees`.`fname`, `employees`.`lname`, `employees`.`dob`, `employees`.`email`, `departments`.`depname`
FROM `employees`
INNER JOIN `departments`
ON `employees`.`depid` = `departments`.`id`
WHERE
`eid` = :eid ||
`fname` LIKE :fname ||
`lname` LIKE :lname ||
`email` LIKE :email ||
`depid` = :depid
ORDER BY `employees`.`eid` ASC
LIMIT :start_from, 10");
$query->bindParam(":eid", $eid);
$query->bindParam(":fname", $fname);
$query->bindParam(":lname", $lname);
$query->bindParam(":email", $email);
$query->bindParam(":depid", $depid);
$query->bindParam(":start_from", $start_from);
$query->execute();
When I think about it I get why it would return the maximum results, however I have tried to change the OR to AND and used parentheses I get no results at all, because the the query is trying to return records that have a blank value in the columns which aren't defined.
I have also tried having AND for the exact values and OR for the wildcard values and this returns all results.
I really don't want to write a php script which has to define which columns to use and execute a different query for each scenario.
I recommend not adding needless logic to the WHERE clause. Build the dynamic statement and deliver the variables into the execute() call <- this is one of the very handy things about PDO.
$conditions = [];
$params = [];
if (!empty($_POST['eid']) {
$conditions[] = "eid = ?";
$params[] = $_POST['eid'];
}
if (!empty($_POST['fname']) {
$conditions[] = "fname LIKE ?";
$params[] = "%{$_POST['fname']}%";
}
if (!empty($_POST['lname']) {
$conditions[] = "lname LIKE ?";
$params[] = "%{$_POST['lname']}%";
}
if (!empty($_POST['email']) {
$conditions[] = "email LIKE ?";
$params[] = "%{$_POST['email']}%";
}
if (!empty($_POST['depid']) {
$conditions[] = "depid = ?";
$params[] = $_POST['depid'];
}
$params[] = $start_from;
Then apply the conditions to the sql string, and execute the prepared statement with the values bound to the placeholders.
$sql = "SELECT employees.eid,
employees.fname,
employees.lname,
employees.dob,
employees.email,
departments.depname
FROM employees
INNER JOIN departments ON employees.depid = departments.id
" . ($conditions ? 'WHERE ' . implode(" AND ", $conditions) : '') . "
ORDER BY employees.eid
LIMIT ?, 10";
$query = $db->prepare($sql);
$query->execute($params);
Here is a similar answer without the battery of conditionals:
Build SELECT query with dynamic number of LIKE conditions as a mysqli prepared statement
I solved the issue by using LIKE and not = as the operator for, and swapping OR for AND as mentioned in the mentioned in the comment on the question.
The reason I had to use LIKE was because when the field is not in use from the form, it has to be a wildcard, and so = isn't suitable.
$p_eid = $_POST['eid'];
$p_fname = $_POST['fname'];
$p_lname = $_POST['lname'];
$p_email = $_POST['email'];
$p_depid = $_POST['depid'];
// wildcard added when field not in use, but removed when in use
if(empty($_POST['eid'])) { $eid = "%%";} else { $eid = "$p_eid"; }
if(empty($_POST['fname'])) { $fname = "%%";} else { $fname = "%$p_fname%"; }
if(empty($_POST['lname'])) { $lname = "%%";} else { $lname = "%$p_lname%"; }
if(empty($_POST['email'])) { $email = "%%";} else { $email = "%$p_email%"; }
// wildcard added when field not in use, bu removed when in use
if(empty($_POST['depid'])) { $depid = "%%";} else { $depid = "$p_depid"; }
$query = $db->prepare("SELECT `employees`.`eid`, `employees`.`fname`, `employees`.`lname`, `employees`.`dob`, `employees`.`email`, `departments`.`depname`
FROM `employees`
INNER JOIN `departments`
ON `employees`.`depid` = `departments`.`id`
WHERE
`eid` LIKE :eid AND
`fname` LIKE :fname AND
`lname` LIKE :lname AND
`email` LIKE :email AND
`depid` LIKE :depid
ORDER BY `employees`.`eid` ASC
LIMIT :start_from, 10");
$query->bindParam(":eid", $eid);
$query->bindParam(":fname", $fname);
$query->bindParam(":lname", $lname);
$query->bindParam(":email", $email);
$query->bindParam(":depid", $depid);
$query->bindParam(":start_from", $start_from);
$query->execute();
I have created an auto suggestion search box using php and jquery. The user prompted to insert name and surname to find someone that exists in my database, in a table called user. Table users holds 2 columns, name and surname. My search works fine when you type the name but after pressing space to move and type surname does not give any results. The whole problem seems to appear when pressing space button. Any idea how to fix it?
This is my jquery code:
$(document).ready(function(){
$('#search_form_1').keyup(function(){
var value = $(this).val();
if(value != ''){
$('#search_result').show();
$.post('search_form.php', {value: value}, function(data){
$('#search_result').html(data);
});
}else{
$('#search_result').hide();
}
});
});
And this is my php code:
<?php
if(isset($_POST['value'])== true && empty($_POST['value']) == false){
$value = mysql_real_escape_string($_POST['value']);
$query = mysql_query(" SELECT `surname`, `name` FROM `users` WHERE (`surname` LIKE '$value%' OR `name` LIKE '$value%') OR (`name` LIKE '$value%' OR `surname` LIKE '$value%') ");
while($run = mysql_fetch_array($query)){
$surname = $run['surname'];
$name = $run['name'];
echo " $surname $name ";
}
}
?>
You have to split the search:
<?php
if(isset($_POST['value'])== true && empty($_POST['value']) == false){
$value = mysql_real_escape_string($_POST['value']);
$name_and_surname = explode(" ", $value);
$name = $name_and_surname[0];
$surname = $name_and_surname[1];
$q = " SELECT `surname`, `name` FROM `users` WHERE (`surname` LIKE '$name%' OR `name` LIKE '$name%') OR (`name` LIKE '$surname%' OR `surname` LIKE '$surname%') ";
// check your query one more time
echo $q;
$query = mysql_query($q);
while($run = mysql_fetch_array($query)){
$surname = $run['surname'];
$name = $run['name'];
echo " $surname $name ";
}
}
An edit is not granted so here is the code:
$value = mysql_real_escape_string($_POST['value']);
$names = explode(" ", $value);
if(count($names)>1){
$name = $names[0];
$surname = $names[1];
$q = "SELECT surname, name FROM users WHERE (name LIKE '$name%' AND surname LIKE '$surname%') OR (name LIKE '$surname%' AND surname LIKE '$name%')";
}else{
$q = "SELECT surname, name FROM users WHERE (name LIKE '$value%' OR surname LIKE '$value%')";
}
If you just want to amend the SQL query, you should just be able to do something like this.
select name, surname from users where CONCAT(name, ' ', surname) like '%value%'
That will take the first name and last name and put a space between them and then search that.
That means when your user hits the space bar it will still find the user you're looking for.
I have 3 tables i want to access with my search php. 2 of them contain all the users profile information. One is called cprofile and the other is bprofile. they are both linked to a user table that contains the username, email, password and most importantly the profile picture.
With the search engine i am trying to access both the info from the search to the individual profile tables and to gather the account information from the user table. This is my code for searching for both types of users:
$search_output = "";
if( isset($_POST['searchquery']) && $_POST['searchquery'] != "" ) {
$searchquery = preg_replace('#[^a-z 0-9?!]#i', '', $_POST['searchquery']);
if($_POST['filter1'] == "Whole Site") {
$sqlCommand = "(SELECT count(*) FROM cprofile WHERE firstname ='%".$searchquery."%' OR lastname ='%".$searchquery."%')
UNION (SELECT count(*) FROM bprofile WHERE cname ='%".$searchquery."%')";
$query = mysqli_query( $db_conx, $sqlCommand ) or die( mysqli_error($db_conx) );
$count = mysqli_num_rows( $query );
while( $row = mysqli_fetch_array($query, MYSQLI_ASSOC) ) {
$userid = $row["userID"];
$ret = mysqli_query($db_conx, "SELECT id, username FROM users WHERE id='$userid'");
while($raw = mysqli_fetch_array($ret, MYSQLI_ASSOC)) {
$username = $raw['username']; $file= $raw['avatar'];
}
}
}
}
Does anyone notice where i am going wrong and how i could resolve this issue? Thanks in advance
I might be going in the wrong direction here but you are getting counts from your query and then looking for a userID in the while loop. If you want both then do something like
$sqlCommand = "
(SELECT userid, count(*) as count FROM cprofile WHERE firstname ='%".$searchquery."%' OR lastname ='%".$searchquery."%')
UNION
(SELECT userid, count(*) as count FROM bprofile WHERE cname ='%".$searchquery."%')
";