tags:

views:

245

answers:

3
+1  Q: 

Dynamic Query based on mulitple GET variables (Refine Search Form)

So im trying to find a script that can start me off with creating an 'refine search' panel which will be a form, hopefully something close to what Ebay have got at the moment.

Whilst I know this is going to be a form and using the GET method, I cant find a script that can parse a url for multiple params and update the query all dynamically.

Im not sure quite how to do this without a million and one if statements. (about 10 or so possible GET variables but could be a lot more soon.)

So i need a simple:

  • foreach GET add WHERE field=GET[variable]

any ready made scripts you know of?

A: 

I know next to nothing about PHP, but there's some discussion about retrieving and parsing the query string here (scroll down a bit):

http://us2.php.net/manual/en/reserved.variables.get.php

You can probably lift some useful code out of there to extract all of your GET parameters and use them to construct your WHERE clause. I'm not sure how your data model is set up, so I can't offer any detailed advice on that -- besides the usual advice of sanitizing all your inputs so that you don't end up with a Bobby Tables on your hands.

Bugmaster  2009-09-20 23:44:53
+2  A: 

I don't know of some canned script to do this.

But it's quite easy to write it yourself.

<?PHP
    $valid_fields = array('field1','field2',...'fieldN');

    $where = "WHERE 1=1 ";

    foreach($valid_fields as $fname){
       if (! empty($_GET[$fname])){
          $where .= " AND $fname='" . mysql_real_escape_string($_GET[$fname]) ."'";
       }
    }

This code simply loops over your expected input variables, and if they're passed as a parameter in $_GET, ads an AND to the WHERE clause.

Then you just tack the $where onto the end of your query (whatever it happens to be):

$sql = 'SELECT * FROM some_table ' . $where;

Edit for example code to hide column names:

<?PHP
//keys are parameter names in _GET, values are database column names.
$fieldmap = array(
'fname'=>'first_name',
'lname'=>'last_name'
);

$where = '1=1 ';

foreach($fieldmap as $get_name => $col_name){
  if (! empty($_GET[$get_name])){
    $where .= " AND $col_name = '" . mysql_real_escape_string($_GET[$get_name]) . "'";
  }
}
?>
timdev  2009-09-20 23:48:10
really very very good, however this exposes my table names which im not too happy with! any chance i could mask them with another array like the $valid_fields so GET[name] would become GET[whateverhere]
bluedaniel  2009-09-21 00:04:52
You could use another associative array... So $mask = array('url_name'=>'table_name'); Then instead of using $_GET['table_name'] you'd use $mask[$_GET['url_name'];
BraedenP  2009-09-21 00:09:30
oh youve lost me a bit there, not quite sure how to put that on the page, recursive arrays baffle me a bit in terms of formatting, any chance you can show me in an answer so i can see the formatting? thanks for this help by the way!
bluedaniel  2009-09-21 00:16:42
Answer edited to do what BraedenP is talking about (more or less, I think)
timdev  2009-09-21 00:37:20
Yep, that should work. :) That's exactly what I was talking about.
BraedenP  2009-09-21 00:40:01
need to change $where = '1=1 '; to $where = 'WHERE 1=1 ';just for anyone copy and pasting ;)great work thank you so much
bluedaniel  2009-09-21 00:42:07
you guys are amazing, i wish i could buy you a beer right now!
bluedaniel  2009-09-21 00:52:40
Tim can have both. I'm not old enough to drink them :(
BraedenP  2009-09-21 00:54:12
Don't mind if I do :-)
timdev  2009-09-21 01:11:41
A: 

You mean something like this?

<?php
$query = "SELECT [WHATEVER YOU'RE SELECTING] FROM your_table WHERE ";
$length = count($_GET);
$count = 0;
foreach($_GET as $key => $value){
    if($count <= $length){
        $query .= "$key='{$value}' OR ";
    }else{
        $query .= "$key='{$value}'";
    }

    $count++;
}
?>

That will loop through your $_GET array, adding key='value' type strings to the query string. Then once you're done recursing through the array, you can do whatever you want with the complete query string.

As per usual, use standard sanitizing functions as you collect your inputs (strip_slashes, mysql_real_escape_string, etc.)

BraedenP  2009-09-20 23:48:59
-1 because you're promoting SQL Injection vulnerabilities.
timdev  2009-09-20 23:59:48
The last sentence of my answer explicitly states that I included no sanitizing functions.
BraedenP  2009-09-21 00:02:25
gah. sorry about that. make another edit so I can remove the downvote.
timdev  2009-09-21 00:32:42

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL