开发者

How write dynamic query staring using PHP

问答 作者:

Dear experts, Let say I have to search 3 co-related options 1)name 2)address 3)Phone. So, I have to write 8[eight] separate queries.pls see the example below….

  $name= $_POST['name'];      
  $address = $_POST['address'];
  $phone= $_POST['phone'];
  if($name!=""&& $address==""&& $phone=="")
 {  $searching_query="SELECT id,name,address from info  where info LIKE '%$info%'";}        
   .....................................    
   ......................................
   .............开发者_运维百科.............................
   else if($name!=""&&$address==""&&$phone!="")
 {  $searching_query="SELECT id,name,address  from  info where name LIKE '%$ name%' AND phone LIKE '$phone' ";  }   
  else if ($name!=""&&$address!=""&&$phone!="")
 {  $searching_query="SELECT id,name,address  from  info where name LIKE '%$ name%' AND address LIKE '%$address%' AND phone LIKE '$phone' ";}

So, if the correlated searching option is more than that then I have to write more and more queries.

Now my question is: how can I write the exact query dynamically. I mean WHERE clause of query will be generated based on posted values.

Please help! Thx,riad

Use arrays! and escape user input with vendor specific functions to protect against SQL injections. mysql_real_esacpe_string() should be used in this case.

$where = array();
foreach(array('name','address','phone') as $key) {
    if(isset($_POST[$key]) && !empty($_POST[$key])) {
        $where[] = $key . " LIKE '%" . mysql_real_escape_string($_POST[$key]) . "%'";
    }
}
$query = "SELECT id,name,address FROM info";
if(empty($where)) {
    $query .= "WHERE info LIKE '%" . mysql_real_escape_string($info) . "%'";
} else {
    $query .= "WHERE " . implode(' AND ',$where);
}

You can always 'join' array entries to a string with a separator. If in this case you would use "AND" as your separator, you may be helped:

$like_clauses = array();

$fields = array( "phone", "address", "name" ) ;

foreach( $fields as $field) {
  if( !array_key_exist( $field, $_POST ) ) continue;

  $like_clauses[$field]=
    $field." LIKE '%"
    // thanx to @darko petreski's comment:
    .mysql_real_escape_string($_POST[$field]) 
    ."%'";

}

$query = "SELECT id,name,address from info where "
         .implode( "AND", $like_clauses );

(note: untested - grab the idea)

EDIT -- added mysql_real_escape_string to avoid injection vulnerability

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9