Creating a mySQL query using PHP form dropdowns - If user ignores dropdown, do not filter by that parameter

Question

Hello,

I am creating a simple MySQL query that will be built from the user selecting options from 2 dropdowns.

The issue I am having is that I would like each drop down to default that if they do not actually choose an option, do not filter by that dropdown parameter.

So, if they come in, and simply hit submit without choosing from a dropdown they should see everything. If they come in and pick from only one of the dropdowns, the query will basically ignore filtering by the other dropdown.

I tried making <OPTION VALUE='any'>Choose but my query didn't know what to do with the 'any' and just shows no results.

Here is my code. Thank you very much for whatever help you can provide.

FORM

<form method="POST"  action="<?php echo $_SERVER['REQUEST_URI']; ?>">


<select name="GameType"> 
<OPTION VALUE='any'>Choose Game Type
<option value="Game1">Option 1</option>
<option value="Game2">Option 2</option>
<option value="Game3">Option 3</option>
</select>


<select name="Instructor"> 
<OPTION VALUE='any'>Choose Instructor
<option VALUE="InstructorA">Instructor A</option>
<option value="InstructorB">Instructor B</option>
<option value="InstructorC">Instructor C</option>
</select>

<input type='submit' value='Search Videos'>  
        </form>

MYSQL

<?PHP

 connection stuff

$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {
$SQL = "SELECT * FROM Videos WHERE GameType=\"{$_POST['GameType']}\" AND Instructor=\"{$_POST['Instructor']}\"";
$result = mysql_query($SQL);

while ($db_field = mysql_fetch_assoc($result)) {

echo $db_field['ShortDescription'] . ", ";
echo $db_field['LongDescription'] . ", ";
echo $db_field['GameType'] . ", ";
echo $db_field['NumberOfPlayers'] . ", ";
echo $db_field['Instructor'] . ", ";
echo $db_field['Stakes'] . ", ";
echo $db_field['UserPermissionLevel'] . ", ";
echo $db_field['DateCreated'] . "<BR>";

}

mysql_close($db_handle);

}
else {
print "Database NOT Found ";
mysql_close($db_handle);
}




?>

Answer 1

you can do something like this:

$w=array();
if (!empty($_GET['rooms'])) $w[]="rooms='".mysql_real_escape_string($_GET['rooms'])."'";
if (!empty($_GET['space'])) $w[]="space='".mysql_real_escape_string($_GET['space'])."'";
if (!empty($_GET['max_price'])) $w[]="price < '".mysql_real_escape_string($_GET['max_price'])."'";

if (count($w)) $where="WHERE ".implode(' AND ',$w); else $where='';
$query="select * from table $where";

Note that this code has written for the empty value (<OPTION VALUE=''>)

Also note that your code suffer terribly from the SQL injection

Answer 2

Build the SQL query in PHP leaving out the part in the where clause if "any" is selected.

Answer 3

Last week, I implemented a solution to a problem similar to this by using a technique found on mikesdotnetting . In it, he describes testing for a null entry from the user in the WHERE clause, then moving to criteria matching.

So, to liken it to your example:

"SELECT * FROM Videos 
  WHERE (GameType IS NULL OR GameType = $_POST['GameType']) 
    AND (Intructor IS NULL OR Instructor = $_POST['Instructor'])"

Also note that this technique will require you to nullify your selected option in your :

<OPTION VALUE=''>Choose Game Type</option>