Select table filter by querystring php?

If you don't want to constrain a column, simply omit it from your query never insert a string from $_REQUEST directly into a query string -- classic SQL injection flaw. You probably want to enforce some sort of limit, lest the query return every single result in your database. Example: Php $conditions = array(); if(!empty($_REQUEST'city')) $conditions = "city = " .

Mysql_real_escape_string($_REQUEST'city'); if(!empty($_REQUEST'state')) $conditions = "state = " . Mysql_real_escape_string($_REQUEST'state'); if(!empty($_REQUEST'country')) $conditions = "country = " . Mysql_real_escape_string($_REQUEST'country'); $sql = 'select * from table '; if(!empty($conditions)) $sql .

= ' where '. Implode(' AND ', $conditions); $sql . = ' LIMIT 1000.

1 only comment I have is to use (int) instead of mysql_real_escape_string. He states the fields are integers. Beside that, seems we had the same idea ;-) – PENDO May 10 at 18:23 @Frank Farmer, nice, and you totally beat me to it, wish I could type faster ... :) @PENDO, you also have a good method, although I think, and I might be wrong, when dealing with integers and MySQL you have to omit the single quotes around the value itself, the single quotes are for characters and strings, not integers.

– hypervisor666 May 10 at 18:27 just a thing I'm used to since years.. it works perfect but your point is taken, I must 'un-teach' myself to quote integers. – PENDO May 10 at 18:48 Quoting ints doesn't hurt too much in mysql (although I'm not immediately aware of any benefits either); mysql casts as needed (does it even raise a warning in this case? ).

However, you have to be more careful with some other databases -- postgres versions 8.3 and higher will refuse to automatically cast quoted ints in comparisons against int columns. – Frank Farmer May 10 at 18:51 This works great but for some odd reason it returns all cities even if I filter it. – Andres May 12 at 16:15.

$where = array(); if(!empty($_REQUEST'city')) $where = "city = '".(int)$_REQUEST'city'. "'"; if(!empty($_REQUEST'state')) $where = "state = '".(int)$_REQUEST'state'. "'"; if(!empty($_REQUEST'country')) $where = "country = '".(int)$_REQUEST'country'."'"; $wherestring = if(count($where)!

= 0)? " WHERE ". Implode(' AND ', $where) : "" ; $query = "SELECT * FROM table".

$wherestring.

Seems I was a bit too late :D – PENDO May 10 at 18:21.

You may want to consider writing several query strings, one for just country, one for state and country and one for city, state and country. Alternatively you can assemble the query string based upon the different parameters you have to work with. Example: if(isset() || isset() || isset() ) //make sure at least one is set { $query_string = "SELECT * FROM table WHERE "; if(isset($_REQUEST'country')) { $country = $_REQUEST'country'; $query_string .

= " country = $country"; } if(isset($_REQUEST'state')) { $state = $_REQUEST'state'; $query_string . = " state = $state"; } if(isset($_REQUEST'city')) { $city = $_REQUEST'city'; $query_string . = " city = $city"; } } else { //Else, if none are set, just select all the entries if no specifications were made $query_string = "SELECT * FROM table"; } //Then run your query... So in english, the first thing you do is check your parameters, making sure you have something to work with before you try and concatenate empty variables together.

Then you make the base query string (as long as we have parameters) and leave it open ended so that we can add whatever parameters you need. Next check each parameter, and if it is set, then concatenate that parameter onto the end of the query string. Finally process the query by sending it to the SQL server.

Good luck! H.

Here're my suggestions. I'm giving you an answer, even though you have three already. I'm thinking mine may be easier on the code-eyes.Do not use the raw $_REQUEST value, as it's likely that the user can poison your database by feeding it fake $_REQUEST data.

Though there may be better ways to do it, keep in mind the command "mysql_real_escape_string($string)". A common method I've seen for solving this problem is written below.(The implode idea, basically. Frank Farmer does it as well in his.

) - $__searchWheres = array(); //Where we'll store each requirement used later foreach( array('city','state','country') as $_searchOption) { if (! empty( $_REQUEST$_searchOption ) ) { $__searchWheres = $_searchOption . '= "' . Mysql_real_escape_string( $_REQUEST$_searchOption ) .

'"'; } } $__query = 'select * from table' .(count($__searchWheres) > 0? ' WHERE ' . Implode(' AND ',$__searchWheres) : ''); //Implode idea also used by Frank Farmer //Select from the table, but only add the 'WHERE' key and where data if we have it.

Mysql_query($__query).

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.