My sql select statment

Forum Moderators: coopster

Message Too Old, No Replies

My sql select statment

Sarah Atkinson

6:25 pm on Apr 25, 2008 (gmt 0)

Working on a mysql statement I'm pulling variables from the GET. These will be used for the WHERE.

I'm using a set of if(isset) like this:


if(isset($_GET['x'])){
$x=$_GET['x'];
$whereclause=$whereclause . 'AND' . "x=$x";
}

So what should $whereclause be started as so everything will come up if no variables are defined?

Also for one of them I just want it to contain the letters. for this one my column is called BodyStyle. and it can be "Truck (4 Door Extended Cab)" or "Truck (4 Door Crew Cab)" but if I put in Truck I want to pull both of these. Would I use 'WHERE BodyStyle LIKE 'Truck'?

[edited by: Sarah_Atkinson at 6:44 pm (utc) on April 25, 2008]

Sarah Atkinson

7:42 pm on Apr 25, 2008 (gmt 0)

or
WHERE BodyStyle LIKE 'Truck%'

coopster

8:26 pm on Apr 25, 2008 (gmt 0)

There are a number of ways to handle the where clause but one of the simplest is to set it to a true value.

$where = 'WHERE 1=1'; 
if (isset($_GET['x'])) { 
 $x = mysql_real_escape_string [php.net]($_GET['x']); 
 $where .= " AND x = $x"; 
}

Note the new function I added. Never trust user-supplied input. Without escaping that value you are exposing yourself to a security issue.

coopster

8:32 pm on Apr 25, 2008 (gmt 0)

or
WHERE BodyStyle LIKE 'Truck%'

Yes.
String Comparison Functions [dev.mysql.com]