tags:

views:

332

answers:

4
+1  Q: 

SQL Query to find matching values based on user input

Hi there,

I'm building a website for property agents and tenants. Tenants can sign up and fill in their desired locations for properties, including Street, Town and Postcode. Once they sign up, this automatically emails agents who have properties that match those search criteria.

At present I have the query set up as follows so that it matches on either the Street, Town or Postcode.

<%
Dim rspropertyresults
Dim rspropertyresults_numRows

Set rspropertyresults = Server.CreateObject("ADODB.Recordset")
rspropertyresults.ActiveConnection = MM_dbconn_STRING
rspropertyresults.Source = "SELECT * FROM VWTenantPropertiesResults "

'WHERE     (ContentStreet = 'Holderness Road') OR (ContentTown = 'Hull') OR (ContentPostCode = 'HU')

rspropertyresults.Source = rspropertyresults.Source& "WHERE (ContentStreet = '" & Replace(rspropertyresults__varReqStreet, "'", "''") & "'"

rspropertyresults.Source = rspropertyresults.Source& "OR ContentTown = '" & Replace(rspropertyresults__varReqTown, "'", "''") & "' "
rspropertyresults.Source = rspropertyresults.Source& "OR ContentTrimmedPostCode = '" & Replace(varPostcode, "'", "''") & "' ) "

rspropertyresults.Source = rspropertyresults.Source& "AND (( ContentBedRooms >= " & Replace(rspropertyresults__varBedroomsNoMin, "'", "''") & " "
rspropertyresults.Source = rspropertyresults.Source& "AND ContentBedRooms <= " & Replace(rspropertyresults__varBedroomsNoMax, "'", "''") & " ) "

rspropertyresults.Source = rspropertyresults.Source& "AND ( ContentPrice > = " & Replace(rspropertyresults__varPriceMin, "'", "''") & " "
rspropertyresults.Source = rspropertyresults.Source& "AND ContentPrice <= " & Replace(rspropertyresults__varPriceMax, "'", "''") & " )) " & varSQL & " "

rspropertyresults.Source = rspropertyresults.Source& "ORDER BY ContentPrice " & Replace(rspropertyresults__varSortWay, "'", "''") & " "

rspropertyresults.CursorType = 0
rspropertyresults.CursorLocation = 2
rspropertyresults.LockType = 1
rspropertyresults.Open()

rspropertyresults_numRows = 0
%>

However, the client has asked that instead of just matching on one of the values, it needs to work in such a way that if say Street and Town match, then email that property agent or if Town and Postcode match, then email that property agent.

As you can imagine, I think the query would become quite complex, but i'm unsure how to best design a query like this.

I wondered if anyone might be able to help or point me in the right direction?

Thank you.

+2  A: 

Including SQL in your web site is bad practice IMO. But I am not familiar with asp-classic. Also the way you do this you are in danger from SQL injection. Don't mix UI and data access logic.

Look at http://en.wikipedia.org/wiki/SQL_injection

Petar Repac  2009-09-10 13:30:31
There is nothing in ASP classic that prevents using best practices like separate model layer, parameterized queries, disconnected recordsets, connection pooling, etc.
RedFilter  2009-09-10 14:01:34
+1  A: 

It would be a good idea to create a SQL Stored Procedure to handle the logic you've described. In ASP code, you can call into this procedure with the user-supplied parameters. This avoids issues with dynamically creating SQL and also make this problem a bit easier to tackle.

See http://authors.aspalliance.com/stevesmith/articles/sprocs.asp for a few examples of using ADODB with stored procedures.

David Andres  2009-09-10 13:33:22
Note, it is not necessary to use a stored procedure in order to implement parameterized queries.
RedFilter  2009-09-10 14:03:07
Absolutely true. I'm advocating SPs here as a cleaner, more focused way to affect the goals the OP wants to achieve.
David Andres  2009-09-10 14:25:12
+4  A:  
SELECT  *
FROM    (
        SELECT  id
        FROM    (
                SELECT  id
                FROM    VWTenantPropertiesResults
                WHERE   ContentStreet = 'Holderness Road'
                UNION ALL
                SELECT  id
                FROM    VWTenantPropertiesResults
                WHERE   ContentTown = 'Hull'
                UNION ALL
                SELECT  id
                FROM    VWTenantPropertiesResults
                WHERE   ContentPostCode = 'HU'
                ) qi
        GROUP BY
                id
        HAVING  COUNT(*) >= 2
        ) q
JOIN    VWTenantPropertiesResults r
ON      r.id = q.id
WHERE   ContentBedrooms BETWEEN 1 AND 4
        AND ContentPrice BETWEEN 50 AND 500
ORDER BY
        ContentPrice

This will return you all records where at least 2 conditions match.

This solution is index friendly: unlike OR clauses, it will use indexes on ContentStreet, ContentTown and ContentPostCode.

See this entry in my blog for performance detail:

For best performance and security, replace substituted parameter values with bound parameters.

This will save you time on query parsing and will protect you against SQL injection.

Quassnoi  2009-09-10 13:35:28
+1: Good solution - perhaps UNION ALL would be better in this case, since you are grouping by id anyway?
RedFilter  2009-09-10 13:59:01
Hey Quassnoi,Thank you for your solution. I have tried this just in a view first to see if it executes correctly. (I also changed the id's to ContentID). It executes, but doesn't return any results.This could be that I have something else that is interfering with the results. I know that there is definitely some data that would match 2 or 3 of the conditions.
Neil Bradley  2009-09-10 13:59:21
`@OrbMan`: right, thanks. Not only it's better, but it's requried for the query to work properly.
Quassnoi  2009-09-10 14:03:42
`@Neil Bradley`: try now, I've fixed the query (thanks to `OrbMan`)
Quassnoi  2009-09-10 14:04:22
I missed that it was required, was only thinking of performance, but of course you need it!
RedFilter  2009-09-10 14:08:27
Thank you very much guys. It does seem to be working now. Really appreciate the fast response.
Neil Bradley  2009-09-10 14:15:33
@Quassnoi: If I need to append the select to check if any 2 of those 3 conditions match as well as a check for the following;AND ContentBedrooms >= '1' AND ContentBedrooms <= '4'AND ContentPrice >= '50' AND ContentPrice <= '500'ORDER BY ContentPriceWhat would be the best way to do that?Thank you.
Neil Bradley  2009-09-10 14:43:14
`@Neil Bradley`: add a WHERE clause with these conditions to the end of the query.
Quassnoi  2009-09-10 14:48:19
`@Neil Bradley`: since your conditions don't seem to be very selective, this seems to be the best way. If they were selective I'd suggest to create composite indexes on (`ContentTown, ContentPrice`) etc. and add the condition into each of the three queries above.
Quassnoi  2009-09-10 14:49:43
Would the WHERE clause go just before JOIN?
Neil Bradley  2009-09-10 15:02:01
`@Neil`: just after `JOIN`. See the post update.
Quassnoi  2009-09-10 15:06:21
@Quassnoi: Man, you are awesome. Thank you so much.
Neil Bradley  2009-09-10 15:19:00
A: 

An approach I've used in a similar situation is if you make use of LIKE, rather than column = value, then you can make use of any values in any combination of fields. For instance:

WHERE town LIKE ('%' + @town + '%') and zip LIKE ('%' + @zip '%') AND street LIKE ('%' + @street '%') AND etc

Then it wouldn't matter if they only filled out some of the fields, it would still return valid results. The main catches to this approach, is all the fields would need to be string values as LIKE doesn't work with numeric type columns. So you would have to do some casting on numeric fields, which could bog things down some depending on how much conversion needs to be done, so it's a give and take kind of situation.

I would also agree that this really should be done in a stored procedure passing in parameters for the fields to search on.

BBlake  2009-09-10 13:46:45

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?