ansaurus

Question

Answer 1

+1 A:

I am guessing that you want to make it a "filter" type query that allows the parameters to be optional? You could do something like:

SELECT 
    * 
FROM 
    Phones 
WHERE
    (manu = $manu OR manu IS NULL)
    AND (min = $min OR min IS NULL)
    AND (max = $max OR max IS NULL)

Adding the OR with the null option (you can make it an empty string or whatever) allows you to filter on any parameter passed.

You can combine this with what you have above, checking for min/max and supplying defaults for your BETWEEN clause.

David in Dakota 2009-12-07 17:44:16

I think he means (price >= $min OR $min IS NULL) AND (price <= $max OR $max IS NULL). But please, PLEASE think of SQL-injection. Either prepare the statement or at least use mysql_real_escape_string() to escape the input!

Cassy 2009-12-07 17:53:50

Answer 2

+1 A:

Hi,

If I were you, I would cut the whole SQL into parts, and dealing with the WHERE statement.

Somethin like:

sql = "SELECT * FROM phones WHERE 1=1 "
if (not empty($manu))
    sql = sql + ' AND manu = "$manu"'
...

Regards.

ATorras 2009-12-07 17:46:01

If I were you I would avoid building SQL dynamically like that all together...

Dems 2009-12-07 18:01:36

Yes, but I suppose all of us know about SQL injection (as you posted after) and how to avoid them. If somebody is a lazy programmer no tool will change that.

ATorras 2009-12-07 18:23:24

Fair point, but I deal with lazy programmers all the time and part of my job is to minimise their impact ;)

Dems 2009-12-07 18:30:10

I don't know about SQL injection.

Elliot 2009-12-07 19:42:16

Then, SERIOUSLY find out.

Dems 2009-12-07 20:29:55

Answer 3

+1 A:

I tend to do this by changing the logic in the SQL and passing in NULL parameters, or parameters with specific values.

WHERE manu='$manuf' AND price BETWEEN $min AND $max

=>

WHERE
    (manu='$manuf' OR '$manuf' = '*')    -- Check for "special value"
    AND (price >= $min OR $min IS NULL)  -- Check for NULL
    AND (price <= $max OR $max IS NULL)  -- Check for NULL

Dems 2009-12-07 17:57:18

Note: I say I pass in parameters, you're building a string to be executed dynamically. As other have stated many times, this is quite bad practice in general, due to SQL injection attacks. Better to use a mthodology that allow parameterisation.

Dems 2009-12-07 17:59:58

There's always trade-offs - your suggestion will suffer performance-wise due to OR use, which destroys sargability. SQL injections can be handled.

OMG Ponies 2009-12-07 18:22:29

+1 Java have the PreparedStatement object that will _help_ you preventing the SQL injection. This sheet may help you to archieve this goal: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

ATorras 2009-12-07 18:26:24

Actually, most RDBMS won't loose sargability in this case. (field <= constant OR constant = constant) can be handled in the execution plan because half of the OR condition resolves to a constant itself. If it were (field <= constant OR field = constant) things would be different, but even then I would doubt all use of indexes would be lost in anything but a very primative RDBMS.

Dems 2009-12-07 18:28:04

Answer 4

A:

Maybe something like...

SELECT * FROM phones 
WHERE manu = coalesce(?, manu)
AND price >= coalesce(?, price) 
AND price <= coalesce(?, price)

Then pass in parameters instead of putting in the variables directly (not sure how to do that in PHP off the top of my head).

Corey 2009-12-07 22:43:37

ansaurus

tags:

views:

answers:

Method for matching any string in SQL

related questions