0

I'm having a little trouble with my MYSQL query

I have a DB full of products and I have a dropdown menu which lets a user select what time of day they'd like to get get results for :-

  • Dropdown
    • Breakfast
    • Lunch
    • Evening
    • Anytime

At the moment my statement is

SELECT * from DEALS WHERE timeofday='post data from form';

Now this works fine, but with the option for 'Anytime' I'd like the query to be able to search for results of all/any of the above.

I was thinking of perhaps doing an IF statement which fires off 2 separate queries, one which says if the $_POST['timeofday'] == 'Anytime' then fire off

SELECT * from DEALS where timeofday='Breakfast' 
OR timeofday='Lunch' OR timeofday='Evening';

otherwise just do the normal query, although wondered if it was possible to do this in just one statement.

Kind regards

Improve this question
4
  • remove the WHERE, "SELECT * FROM DEALS" Commented Jul 8, 2012 at 11:13
  • I suspect your code is vulnerable to sql injection. Commented Jul 8, 2012 at 11:18
  • How do you know? can you see my code? I may have filtered all of my vars already ;P. Commented Jul 8, 2012 at 11:20
  • You could improve your second query by using timeofday IN(...). Commented Jul 8, 2012 at 11:24

4 Answers 4

Reset to default
2 
$query = 'SELECT * from DEALS';
if ($_POST['timeofday'] != 'Anytime') {
    $query .= ' WHERE timeofday="' . $_POST['timeofday'] . '"';
}

As DCoder mentioned, this approach is vulnerable to sql injection... You should check/sanitize the input or use prepared statements. In this case where there is a predefined set of values you can:

$knownTimesOfDay = array('Breakfast', 'Lunch', 'Evening', 'Anytime');
if (!in_array($_POST['timeofday'])) {
    die('Unsuppotred time of day... Did it really come from the form?');
}
$query = 'SELECT * from DEALS';
if ($_POST['timeofday'] != 'Anytime') {
    $query .= ' WHERE timeofday="' . $_POST['timeofday'] . '"';
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

That was going to be my solution, is this the best way to achieve this? I wanted to see if there was a more elegant way of achieving it :(
This is vulnerable to SQL injection. I can see OP is familiar with it, but you should definitely mention it for future readers.
0

Don't think it can be done in one statement.

You are going to have to use an if statement anyhow.

Improve this answer

1 Comment

Okay cool. Thanks for your feedback. I am not very good at SQL so thought there would be a better way.
0

if these are the only 3 possible values for timeofday,then you can have an if in the php script like this:

if($_POST['timeofday'] != 'Anytime' )
    sql .= "where timeofday='".$_POST['timeofday']."'";
Improve this answer

Comments

0

This could turn out to be negative depending on the items you have in the table, but you could use:

SELECT * from DEALS where timeofday LIKE '%{$post_data}%'

It would return all the results from timeofday if $post_data was an empty string.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.