views:

47

answers:

4

I was going to use the scuttle solution on: http://www.pui.ch/phred/archives/2005/04/tags-database-schemas.html for handling searches on my website. I was wondering how I could take the search input from a user and turn it into a single query.

For instance, let's say a user inputted 'blue dogs' in their search query... How could I dynamically update the query to include ('blue', 'dogs') in union and intersection queries?

A: 

for example your user input is "blue dogs", then on the page

$searchstring = "blue dogs"; // or fetch the input
$arr = explode(" ",$searchstring); //this is explode the text by every "space" character

you have the user inputed string in array $arr now, now use it in query like you usually do

Starx
A: 

You can do like:

$search_string = implode(',', $search_array);

Now in your query you can use the IN clause:

$query = "select * from table where field IN ('".$search_string."')";
Sarfraz
-1: String parameters should be quoted, **all** values should be filtered through mysql_real_escape_string
symcbean
+1  A: 

The methods posted here are correct, just one little security addition: Don't forget to escape the user inputted data, otherwise you're just one step away from SQL injections. Or avoid the query and use prepared statements instead: PHPManual Prepared Statements

Tapdingo
A: 

Td: How does this work with prepared statements? I've just read that passing an array/list of strings is not possible with prepared queries, because SQL has no notion of that.

Maybe you can build up a list like "WHERE x IN (?,?,?,?,?,?,...)" automatically and then pass the string list as bound parameters..

mario