Simplifying mysql filter query_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-04-11 16:15 出处：网络

I\'m building a platform for a casting manager to catalog Actors and be able to browse them. My table \'actor\' is set up 开发者_JAVA百科with first name, last name, email, phone, address etc.

I'm building a platform for a casting manager to catalog Actors and be able to browse them. My table 'actor' is set up 开发者_JAVA百科with first name, last name, email, phone, address etc.

I have a browse.php page which has a form to filter results. Here's my class that I need help simplifying as well as getting rid of the wild card result when a field is null.

I pass through the form data into an array, $search, and the class checks if the array section is filled and writes to the SQL query.

public function getActors($search) {
    if(isset($search)) {
        if($search["first_name"] == NULL) { $first_name = "LIKE '%'"; } else { $first_name = "LIKE '".$search["first_name"]."'"; }
        if($search["last_name"] == NULL) { $last_name = "LIKE '%'"; } else { $last_name = "LIKE '".$search["last_name"]."'"; }
        if($search["gender"] == NULL) { $gender = "LIKE '%'"; } else { $gender = " = '".$search["gender"]."'"; }
        if($search["address_state"] == NULL) { $address_state = "LIKE '%'"; } else { $address_state = " = '".$search["address_state"]."'"; }
        if($search["ethnicity"] == NULL) { $ethnicity = "LIKE '%'"; } else { $ethnicity = " = '".$search["ethnicity"]."'"; }
        if($search["status"] == NULL) { $status = "LIKE '%'"; } else { $status = " = '".$search["status"]."'"; }

        $sql = "SELECT * FROM actor WHERE
            first_name ".$first_name." AND
            last_name ".$last_name." AND
            gender ".$gender." AND
            address_state ".$address_state." AND
            ethnicity ".$ethnicity." AND
            status ".$status."
        ";          
    } else {
        $sql = "SELECT * FROM actor";   
    }
    $s = mysql_query($sql) or die (mysql_error());
    $numrows = mysql_num_rows($s);

    for($x=0; $x < $numrows; $x++){
        $actorArray[$x] = mysql_fetch_row($s);
    }
    return $actorArray;
}

Any help on simplifying this or suggestions?

for the conditions, I you can use a foreach loop.

 if(isset($search)) {
        $conditions = array();
        foreach($search as $k => $criteria){
            if ($criteria != NULL){
                $condition[] = "{$k} LIKE '{$criteria}'";
                //this will produce for $search['first_name'] = 'john'
                //  "first_name LIKE 'john'"
            }
        }
        //we transform the array of conditions into a string
        $conditions = implode (' AND ', $conditions);
        $sql = "SELECT * FROM actor WHERE " . $conditions;

 }else{
        $sql = "SELECT * FROM actor";   
 }

What about (within the isset block)...

$fields = array('first_name','last_name','gender','address_state','ethnicity','status');
$parts = array();
foreach($fields as $field) {
  if(!empty($search[$field])) {
    $parts[] = $field . ' LIKE "' . $search[$field] . '"';
  }
}
$sql = "SELECT * FROM actor WHERE " . implode(' AND ', $parts);

And as mentioned by @Dvir, it's better to use positional parameters in your SQL statements.

LIKE '%'? seriously? why not just don't include the specific clause if it's null?

Also, your query is vulnerable to SQL injections.

After reading about SQL injections, you can just add the WHERE clauses by going over the $search array, adding the specific clause, and binding the parameter.