...

View Full Version : PHP - working with multiple sql where clauses



memprog
05-03-2006, 06:21 PM
I am writing a small php application that returns results based on information a user can enter into multiple text fields.

here is what I have:

search.php
-------------
Order Info ID:
<INPUT type="text" maxLength=100 size=17 name=orderId>
TELEPHONE:
<INPUT type="text" maxLength=20 size=14 name=phone>
PON:
<INPUT type="text" maxLength=100 size=27 name=ponValue>


results.php
----------------
<?
$pon = $_POST['ponValue'];
$telephone = $_POST['phone'];
$order = $_POST['orderID'];

$select = "select * from orderinfo and day <>'' " ;
$whereClause = "";
$res = $db_connection->Execute($select);


?>

<?
//this is what I don't know how to do.
//I need to add the where clause to the sql statement if the user
//..has entered a value into any of the text fields

if($pon !="")
{
whereClause = " and pon = ".'$pon';
echo $res->Fields['$pon']->Value;
}
?>

How can I add this where clause to my sql statment based on what value the user has entered?

please help.

thanks,
Mark

GJay
05-03-2006, 07:18 PM
$select = "select * from orderinfo and day <>'' " ;
$whereClause = "";
if(isset($pon))
$where.='pon='.mysql_real_escape_string($pon).' AND';
if(isset($telephone))
$where.='telephone='.mysql_real_escape_string($telephone).' AND';
if(isset($order))
$where.='order='.mysql_real_escape_string($order).' AND';
if($where!='')
$where=' WHERE '.substr($where,0,-4);
$select.=$where;
$res = $db_connection->Execute($select);

phpfr33k
05-04-2006, 02:46 AM
$select = "select * from orderinfo and day <>'' " ;
$whereClause = "";
if(isset($pon))
$where.='pon='.mysql_real_escape_string($pon).' AND';
if(isset($telephone))
$where.='telephone='.mysql_real_escape_string($telephone).' AND';
if(isset($order))
$where.='order='.mysql_real_escape_string($order).' AND';
if($where!='')
$where=' WHERE '.substr($where,0,-4);
$select.=$where;
$res = $db_connection->Execute($select);




Don't want to sound pushy, but there are a couple of other ways to do this.



$select = "select * from orderinfo and day <>'' " ;
$whereClause = "";
if(!empty($pon))
$where.='pon='.mysql_real_escape_string($pon).' AND';
if(!empty($telephone))
$where.='telephone='.mysql_real_escape_string($telephone).' AND';
if(!empty($order))
$where.='order='.mysql_real_escape_string($order).' AND';
if($where!='')
$where=' WHERE '.substr($where,0,-4);
$select.=$where;
$res = $db_connection->Execute($select);




by using the empty function you stop someone from entering blank characters in a form which would not get caught by isset, and would trigger an error.
Although, If your a fan of arrays... You might try this.





$select = "select * from orderinfo and day <>'' " ;

if(count($_GET) > 3){

exit; // Someone is trying to inject get variables!

}
elseif(count($_GET) > 1){

foreach($_GET as $x => $y){

$arr_where[] = "(`" . $x . "` LIKE '" . $y . "')";

}

$str_where = implode(" AND ",$arr_where);

$select .= " WHERE " . $str_where;

}



This would allow for scalability. If suddenly you need to ask for more information, It is all still optional just change the 3 in the first if statement to the total number of items your form should return.

memprog
05-04-2006, 04:42 PM
phpfr33k,

I am giving the user the option of either entering 1, multiple or, no values. Will the empty function still work?

memprog
05-04-2006, 05:07 PM
I neglected to mention something, I have this in a while loop so basically it looks like this....

search.php
-------------
Order Info ID:
<INPUT type="text" maxLength=100 size=17 name=orderId>
TELEPHONE:
<INPUT type="text" maxLength=20 size=14 name=phone>
PON:
<INPUT type="text" maxLength=100 size=27 name=ponValue>


results.php
----------------
<?
$pon = $_POST['ponValue'];
$telephone = $_POST['phone'];
$order = $_POST['orderID'];

$select = "select * from orderinfo and day <>'' " ;
$whereClause = "";
$res = $db_connection->Execute($select);


?>

<?
//this is what I don't know how to do.
//I need to add the where clause to the sql statement if the user
//..has entered a value into any of the text fields

while(!res->EOF)
{

if($pon !="")
{
whereClause = " and pon = ".'$pon';
echo $res->Fields['$pon']->Value;
}
}
?>


So where would I add the code if it's in a while loop?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum