MySQL/PHP Query

A:

Never use concatenation to generate your SQL, you should be using prepared SQL statements with parameters.

The only way to simplify this statement without having greater knowledge of the problem domain is to reduce the number of columns. It looks as if you've got three prices per product entry. You could create a table of product prices instead of columns of product prices and this would make it a single comparison and give you the flexibility to create yet more product prices in the future.

So you'll need to create a one->many relationship between product and prices.

altCognito 2009-05-15 11:52:05

This is used as a part of complex search engine so we must use concatenation..And that is not a problem..Bur problem is How to make correct condition.

2009-05-15 11:57:16

There is nothing in this SQL statement which precludes you from using prepared SQL statements. But, I'll answer the other portion as well.

altCognito 2009-05-15 12:15:32

This is only one part of the final query string..System is very complex and large..So we can't prepare SQL statements.This is just a part of 13 condition offers search. See how many variations could be there..I only need help how to make condition like this to work or to find a better way.

2009-05-15 12:27:21

A:

Okay so what is your question?

uriDium 2009-05-15 11:55:52

The question was how to do this in a better way.

2009-05-15 11:59:38

+1 A:

Performance improvement: Your query is OR based, meaning that it will stop evaluating the conditions as soon as it finds one of them being true. Try to order your conditions in such a way that, for example, in your case, the first check is the most likely to be under 400.

Security imporvement: Use prepared statements and filter out your variables before using them. In case of the $ObrKursQuery, if it comes from a user input or an untrusted source, this is a non-quoted numeric value and you are exposed to a big variety of sql injection problems (including arithmetic sql injection: if that value is 0, you'll get a divideByZero error that can be used as a blind sql injection condition).

Readability imporvement: Be sure to always be consistent in the way you write your code, and if possible, follow some accepted de facto standard, like starting variable names lower case: $ObrKursQuery -> $obrKursQuery. Also for the sake of self documenting code, choose names for your variables that mean what they are: $ObrKursQuery -> $conversionRatio.

Maintainability/Scalability improvement: Use a constant instead of a fixed value for the 400. When you change that value in the future, you will want to change it in just one place and not all over your code.

palako 2009-05-15 12:33:21

Yap..I allready know that..But this is not what i need..I say again i dont need advice how should i do this or that..but to solve problem above.. :) $ObrKursQuery is value from a database..so no divideByZero error..

2009-05-15 13:41:55

Then I missunderstood your question. There's nothing wrong with your code, it will work correctly, won't it? What I mentioned are improvements that you could make in case they apply, which is what I understood you wanted, imporvements, but what is the problem that you want to solve? Your code seems to be what solves your problem.

palako 2009-05-15 16:45:54

Problem is that it doesn't work..It behaves like there is no WHERE *** part of the query..I just get all the results from the table..Strange..

2009-05-16 17:39:18

The piece of code you pasted is correct. Either you actually don't have any records that match one of the conditions or your problem is somewhere else.

palako 2009-05-16 18:25:37

ansaurus

tags:

views:

answers:

related questions