I'm trying to convert regular query building to stored procedures. I do not know the best way to go about this, with "building" a query. Not sure how to explain, so i will give an example. My example is in PHP, but the concept is the same in any language.. example should be simple enough.
if($somevar){
$w .= " AND SomeVar = '$somevar' ";
}
if($anothervar){
$w .= " AND AnotherVar = '$anothervar' ";
}
$sql = "SELECT * FROM MyTable WHERE Title = 'test' " . $w;
So basically if both of those have a value, then the SQL would be:
SELECT * FROM MyTable WHERE Title = 'test' AND SomeVar = 'blah' AND
AnotherVar = 'blah'
Because there's four possible variations of this query, what would be the best way to "build" this query using stored procedures?
Heres the other three possibilities:
SELECT * FROM MyTable WHERE Title = 'test' AND AnotherVar = 'blah'
SELECT * FROM MyTable WHERE Title = 'test' AND SomeVar = 'blah'
SELECT * FROM MyTable WHERE Title = 'test'
Do I pass both variables via BIND to a SP, then in the SP do the IF/ELSE statements.
If so, could someone provide me with an example on how to do this in the SP?
Or, is there some other way of handling this?
Thanks!
Edit: The MySQL will be converted to MSSQL from regular queries, to stored procedures
Edit 2:
based on Joe Stefanelli's comment, i think this is the answer to my question, any thoughts?
CREATE PROCEDURE testSP
#somevar varchar(50),
#anothervar varchar(50)
AS
SELECT * FROM MyTable WHERE Title = #title
AND ((SomeVar = #somevar AND #somevar IS NOT NULL) OR (#somevar IS NULL))
AND ((AnotherVar = #anothervar AND #anothervar IS NOT NULL) OR (#anothervar IS NULL))
MySQL does not support dynamic SQL in stored procedures. If you can get by with a prepared statement, you'd be good to go, but otherwise you may want to split your logic into separate procedures.
Also take a look at this SO question.
Related
I am taking my first tentative steps into prepared statements (and falling flat on my face).
Previously, I built the following from $_GET and echoed it back - the code was working fine and it returned what I expected from my simple test database.
SELECT * FROM edit_box WHERE (tag="9") AND (text="mango") ORDER BY time_stamp DESC
and when I try to code it using a prepared statement, even if I don't use $_GET but just hard-code the values from the previous, my code looks like this
$odbc_query = OdbcPrepare('SELECT * FROM edit_box WHERE (tag="?")' .
' AND (text ? "?") ORDER BY time_stamp DESC');
$odbcResult = odbc_exec($odbc_query, array('9', '=', 'mango'));
var_dump($odbcResult);
I get NULL.
Obviously a beginner mistake, but I stare at it and still don't say d'oh!
What am I doing wrong?
You cannot do this --
AND (text ? "?")
Parameters, like this, can usually only be passed for actual values - and in some cases identifiers...
To do what you want you need to interpolate the '=' inline into the SQL statement...
Kind of, like this --
$logical_operator = '=';
$sql = SELECT * FROM edit_box WHERE (tag=\"?\") AND (text $logical_operator \"?\") ORDER BY time_stamp DESC');
$odbc_query = OdbcPrepare($sql);
$odbcResult = odbc_exec($odbc_query, array('9', 'mango'));
I'm letting users search my database for data by city.
My query looks like:
$results = mysql_query("SELECT * FROM mydb WHERE City='".$city."' LIMIT 10");
I want a user to be able to search 'all cities', so I'd like to either remove the WHERE statement if $city=='all cities'; or use a wildcard for the WHERE statement that matches all cities in the db.
I used to have an IF statement that switched between two queries, but I want to add more filters like country/all countries, zipcode/all zipcodes, etc, So I'd rather keep one dynamic SQL query.
Well, you could still have just one query and build the where clause dynamically, as such:
$where = '';
// conditional statements (if/else, switch) for populating the where clause
$where .= " WHERE City = '{$city}'";
$where .= " AND Country = '{$country}'";
$results = mysql_query("SELECT * FROM mydb{$where} LIMIT 10");
One way would be a case statement:
WHERE City = case when '$city' = 'All cities' then City else '$city' end
If the user is searching for 'All cities', this turns the WHERE statement into:
WHERE City = City
Which is always true (at least for non-null cities ;))
P.S. Make sure you're running these queries using a read-only MySQL account. The user could enter funny stuff into the $city parameter!
You could try
WHERE City like '$city'
and permit the users to enter wildcards, if you think they'd be up to it.
although not PHP programmer, this pseudocode might offer an option... conditionally build out your where clause. Additionally, I would do it with parameterized queries instead of direct string building to prevent sql-injection attacks.
cYourSQL = "select * from YourTable where "
cAndRequired = ""
if city is NOT "all cities"
cYourSQL = cYourSQL + cAndRequired + " city = 'YourParameterValueProvided' "
cAndRequired = " AND "
endif
Now, always add your country selection
cYourSQL = cYourSQL + cAndRequired + " country = 'YourCountryValue' LIMIT 10 "
Run the query
look at this table please
table
|id| |name| |order|
i must get the rows, where name = something and order = somevalue
so i write
select `id` from `table` where `name` = 'something' and `order` = 'somevalue'
but depend on php logic, sometimes i need to get all rows, where name = something, independently of order value. i don't want to change the query structure, because in practise there are many number of fields, and possible count of queries will become very big. so i want to save the structure of query, and when i need to select just by name, i want to write something like this:
select `id` from `table` where `name` = 'something' and `order` = any value
is it possible?
thanks
Well, it's kind of a hack, but if you really need to do this, it'll work like this:
select `id` from `table` where `name` = 'something' and `order` = `order`
Then you're just saying "wherever order is the same as itself", so it's always true.
No, this is not possible. You need to change the structure (optionally to a LIKE so you can use '%', but that's very ugly).
However, you don't need to write a different query to handle every possible combination. You can simply create the query dynamically:
//create base query
$query = "select `id` from `table` where `name` = 'something' ";
//add order if we need it
if ($use_order)
$query .= "and `order` = 'somevalue' ";
//repeat for any other optional part
Note that you should of course still take proper measures to avoid SQL injection and other security issues - I have not included this here in order to keep things simple.
If you are using bound parameters, it would be impossible.
If you just substitute the values, you can do the following:
select `id` from `table` where `name` = 'something' and `order` = `order`
This is a common theme with database queries - you need a variable query depending on how much filtering you wish to apply to the data it queries. You could go the route of having your query repeated as a string throughout your code, but that is bad practice as it increases the complexity of the code needlessly. Chances for errors occur if you need to change the query for some reason, and have to change it in multiple places as a result.
The better solution is to create a function which builds the query for you execute:
function buildMyQuery($name, $order = null) {
$sql = "SELECT `id` FROM `table` WHERE `name`='$name'";
if ($order != null) {
$sql .= " AND `order`='$order'";
}
return $sql;
}
You could then run this for just using the 'name' field:
$query = buildMyQuery("somename");
Or this for using both fields:
$query = buildMyQuery("somename", "someorder");
As someone mentioned above, this code is deliberately simplified and contains no contingency for possibly dangerous data passed in via $name or $order. You would need to use mysql_real_escape_string or something similar to clean the data first, at the beginning of the function before either piece of data is used.
Dynamic query generation is a fact of life as Byron says, so I would become accustomed to it now rather than using hack-ish workarounds.
I don't think you have any choice... Once you do a selection you can't "unfilter" and get more rows.
You should just use two queries-- either two independent queries, or one that selects on the name into a temp table, and then (optionally) one that further selects on the order attribute.
Like Chad said above, just set the column equal to itself. But be careful, on some platforms / install configurations, NULL != NULL:
select `id` from `table` where `name` = 'something' and coalesce(`order`,'') = coalesce(`order`,'')
On reflection, I have a better answer. My colleague showed me a way this can be done.
My example...
Select rentals.* From rentals Where ((? = '') OR (user_id = ?))
The variables must be the same.
If they are both 5 for example, the first boolean will be false, but the second will be true, for the rows where the users id is 5.
If you require "all", setting as an empty string will result in all rows being seen to meet the where clause condition.
Can't you just use a not null query here?
select `id` from `table` where `name` = 'something' and `order` is not null;
You should be able to do it like this:
select `id` from `table` where `name` <>'' and `order` <>''
That will select anywhere that the value is not equal to blank.
$sql = "SELECT * FROM auctions WHERE id = id ";
if ($category !== "ANY") {
$sql .= "AND category = $category "; }
if ($subcategory !== "ANY") {
$sql .= "AND subcategory = $subcategory "; }
if ($country !== "ANY") {
$sql .= "AND country = $country "; }
$sql .= "ORDER BY $order $sort LIMIT $limit OFFSET $offset";
I have to get records from my MySQL DB where:
sentto = "$username"
OR
sentto = "everyone"
How would I put this in a MySQL query? I tried a few things, but they don't seem to be working:
mysql_query("SELECT *
FROM pmessages
WHERE status='unread'
AND sentto='$username' || sentto='everyone'");
mysql_query("SELECT *
FROM pmessages
WHERE status='unread'
AND sentto='$username'
AND sentto='everyone'");
I seem to be stumped, if anyone knows how to do this the right way please let me know. This is a new scenario for me. Thank you!
SELECT *
FROM pmmessages
WHERE sentto = '$username'
OR sentto = 'everyone'
Edit Chris, based on your new query of:
SELECT *
FROM pmessages
WHERE status='unread'
AND sentto='$username'
OR sentto='everyone'
You need to modify it so that your AND stands alone (it is conflicting with your OR).
Rewrite it to this
SELECT *
FROM pmessages
WHERE status='unread'
AND
(sentto='$username'
OR sentto='everyone' )
Taking the detail from one of your comments into account - use the " OR " keyword and parentheses to make sure that the right conditions are combined.
SELECT * FROM pmessages WHERE
status = 'unread'
AND
(sentto = ? OR sentto = 'everyone')
Your problem was never with the OR, though, it was actually the AND precedence and lack of parentheses. The very significant detail that you completely omitted from your question was the additional test for "status = unread".
Note the use of ? above - you should really, really use prepared statements whenever combining MySQL and PHP, i.e.:
$sql = "..." # as above
$sth = $db->prepare($sql);
$res = $sth->execute($username);
while ($row = $sth->fetchrow()) {
...
}
(or the mysqli equivalent)
As it's the same column you're testing, I would use the IN keyword:
SELECT *
FROM pmessages
WHERE status='unread'
AND sentto IN ('everyone', '$username');
The word OR is what you're looking for:
mysql_query("SELECT * FROM pmessages WHERE sentto='$username' OR sentto='everyone'");
is everyone an actual value or do you want to return all results?
if you want to return all results set up something like this
if (#sentto is null)
begin
set #sendto='%'
end
mysql_query("SELECT * FROM pmessages WHERE sentto='$username'")
Alt A below is a statement from a php-mysql tutorial. It works as it should.
I found the id-value rather obfuscated and tested alt B. This also worked!
What is the point with the id-value of alt A?
MySQL 5.0.51, PHP 5.2.6
// Alt A :
$sql = "SELECT * FROM example WHERE id = '".$q."'";
// Alt B :
$sql = "SELECT * FROM example WHERE id = $q";
This are just two different approaches to building a string from static and variable data.
Alternative A uses concatenation, or the joining of string and variable tokens using the concatenation operator.
Alternative B uses variable expansion, wherein the variables inside a double-quote-delimited string are expanded to their values at evaluation time.
Neither is necessarily better or preferred, but if you have to have single-quote-delimited strings, for example, then you would need to use alternative A.
Of course, neither of these is preferable to building SQL queries with bound parameters, as not doing so leaves you vulnerable to SQL injection attacks.
Theres two reasons to use the example in 'Alt A'. First is if the string is enclosed in single quotes '', the variable's name will be used in the string instead of it's value.
$id = 7;
'SELECT * FROM table WHERE id = $id' //works out to: WHERE id = $id
"SELECT * FROM table WHERE id = $id" //works out to: WHERE id = 7
Secondly, it's useful to combine strings with the results of a function call.
"SELECT * FROM table WHERE id = '".getPrimaryId()."'"
Outside of what has already been said I've found it best practice, if I'm writing a query, to write it as so:
$sql = "SELECT * FROM table WHERE uid=" . $uid . " LIMIT 1";
The reason for writing SQL like this is that 1. MySQL query doesn't have to parse the PHP variables in the Query and 2 you now easily read and manage the query.
When PHP communicates with MySQL, it is actually (in essence) two languages communicating with each other. This means that a string will be processed by the first language before being sent to the other. It also means that it is important to think in terms of the receiving language
In this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = $q";<br/>
you are telling MySQL to
"SELECT * FROM example1 WHERE id = some_name.
In this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '$q'";<br/>
and this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '".$q."'";<br/>
you are telling MySQL to
"SELECT * FROM example1 WHERE id = 'some_name'.
The first example should cause an error as some_name is not a valid part of a MySQL query (in that context). On the other hand, the next two will work fine, because MySQL will look for the String "some_name".
You can also do this:
$sql="SELECT * FROM exempel WHERE id = {$q}";
which is useful for setting off things like:
$sql="SELECT * FROM exempel WHERE id = {$row[id]}";
in 'alt B', $q must be an int or float or other numeric
in 'alt A', $q can be anything a string, int, etc.
The single quote makes that possible. It's just hard to see sometimes if you are looking at it for the first time.