开发者

Generating SQL query based on URL parameters

问答 作者:

Suppose my URL is http://something.com/products.php?brand=samsung&condition=new

For the above query I am using isset() and $_GET[]) functions along with lots of if-else statements in PHP to generate a sql query for displaying the products which satisfy the search criteria.

For example: if I am dealing with only brand and condition parameters then this is how I will generate the query:

$sql = "select * from products where 1=1 ";
if(isset($_GET['brand']))
{
     if(isset($_GET['condition']))
     {
         $sql = $sql + "and brand=".$_GET['brand']." and condition=".$_GET['condition'];
     }
}
else
{
     if(isset($_GET['condition']))
     {
         $sql = $sql + "and condition=".$_GET['condition'];
     }
     else
     {
         $sql = $sql + ";";
     }
}

Now suppose my URL is having 10 parameters (or more). In this case, using if-else is not at all good. How can I genera开发者_C百科te the query without using so many if-else statements? Is there any better method/script/library available for doing this thing?

There are a number of ways to do this, but the easiest way would be to loop through the acceptable columns and then append appropriately.

// I generally use array and implode to do list concatenations. It avoids
// the need for a test condition and concatenation. It is debatable as to
// whether this is a faster design, but it is easier and chances are you 
// won't really need to optimize that much over a database table (a table
// with over 10 columns generally needs to be re-thought)
$search = array();
// you want to white-list here. It is safer and it is more likely to prevent
// destructive user error.
$valid  = array( 'condition', 'brand' /* and so on */ );


foreach( $valid as $column )
{
   // does the key exist?
   if( isset( $_GET[ $column ] ) )
   {
      // add it to the search array.
      $search[] = $column . ' = ' . mysql_real_escape_string( $_GET[ $column ] );
   }
}
$sql = 'SELECT * FROM TABLE_NAME WHERE ' . implode( ' AND ', $search );
// run your search.

If you really are trying to get rid of the 'if' statements, you could use this:

$columns = array_intersect( $valid, array_keys( $_GET ) );
foreach( $columns as $column )
{
    $search[] = $column . ' = ' . mysql_real_escape_string( $_GET[ $column ] );
}
$sql = 'SELECT * FROM TABLE_NAME WHERE ' . implode( ' AND ', $search );

But you may want to run actual benchmarks to determine whether that is a substantially better option.

继续阅读:javascriptphpweb-services

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9