Saving a query

[ragrim]

Hi,

 

Im looking to add the ability for users to save a search query as a custom report and wondering whats the best ay to do this.

 

For example a user will run a search every month for all users thatexpire in the next 30 days so they can mail out subscription renewel reminders.

 

What i was thinking was adding an option to "save query" after running a custom search and then save the mysql_query in a table in the DB. Then i would have a screen that selects all records from this table and displays the description they chose and when they run it i just grab the string from the DB and it then runs the report.

 

Is this a good way to do it or is there a better way to do it?

 

Sorry if this is the wrong section im not sure if it fell under php or mysql.

 

Cheers.

[ebmigue]

I see nothing wrong with it.

 

Save your sql query strings, the same way you are saving, say, html strings.

 

Retrieve those strings, then process them using the applicable library in PHP (say, mysql_*).

 

You might want to perform some "pre-saving process" when saving those query strings, though (e.g., for security considerations).

 

Hope it helps.

[fenway]

Running raw, arbitrary, user-contributed SQL queries is dangerous.

[gristoi]

I would say this is the worst way you could possibly do this. Allowing users to add an execute a string is the equivelent of handing them the key to the server. You would have to ensure all privelages for the connection were correct to start. What would stop them from saving a query string such as

DROP DATABASE .......

or

GRANT PRIVILAGES .........

You would be leaving your server wide open to attack. if you want to give them the ability to run queries then you need to take the control of building the quires out of their hands. One way of doing this is to build a query constructor that gives them that names of the fields they can search and the ability to add parameters that you control. Just an idea