0


I am trying to search in MySql db based on user input something like below.
User may/not select from the below fields

<select name="field_one" id="f1">
<option value="AA">AA</option> 
<option value="BB">BB</option>
<option value="CC">CC</option>
</select>



<select name="field_two" id="f2">
<option value="11">11</option> 
<option value="22">22</option>
<option value="33">33</option>
</select>

if User selects only 'field_one', then mysql_query should filter only based on 'field_one'. In this case there can be four combination

  1. Filed_one is slected and filed_two is not selected
  2. Field_One is not selected and field_two is selected
  3. Filed_one is not selected and Filed_two is not selected
  4. Field_one is selected and Field_Two is selected

What is the best and efficient methode to make this search?

I tried with 'case .... break;' and 'if', but when the first condition is met, code stops and does not check the next conditions
Can any one give me a clue?
Thanks in advance for the help....

Improve this question

4 Answers 4

Reset to default
1

try this:-

$query = "select * from table_name where 1 ";
            if(!empty($_POST['field1']) ) {
             $query .= " AND field1 like '".trim($_POST['field1'])."'";
            }
            if(!empty($_POST['field2'])) {
             $query .= " AND field2 like '".trim($_POST['field2'])."'";
            }
            // and so on
            $result = mysql_query($query);

please use escape string also http://php.net/mysql_real_escape_string

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
            <?php
            $sql = "SELECT * FROM table_name WHERE 1";

            if(isset($_POST)){
                if(isset($_POST['field_one'])){
                    $sql.= 'AND  field_one'= $_POST['field_one'];
                }
                if(isset($_POST['field_two'])){
                    $sql.= 'AND field_two'= $_POST['field_two'];
                }
            }

            mysql_query($sql);
            ?>
Improve this answer

Comments

0

Example, not tested and needs lots of variable processing against SQL injection

$where = "";
$bits = array();
$bitset=false;

if(isset($_POST['field_one') && strlen($_POST['field_one')) > 0)
  {
  $bitset = true;
  $bits[] = " field1 = $_POST['field_one')"
  }

if(isset($_POST['field_two') && strlen($_POST['field_two')) > 0)
  {
  $bitset = true;
  $bits[] = " field2 = $_POST['field_two')"
  }

if($bitset)
  {
  $where = implode(", " $bits);
  }

$sql = "select * from table " . $where;
Improve this answer

1 Comment

I have skipped that and chances are that other will skip that as well. Furthermore, your code has at least 7 syntax errors and will generate an invalid query.
0

You can also use PDO & param binding to avoid SQL Injection : http://www.php.net/manual/fr/pdostatement.bindparam.php

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.