1internet Posted January 22, 2013 Share Posted January 22, 2013 So I have a results page, e.g. a list of all the hotels for a specific city coming from the database: "SELECT * FROM `hotels` WHERE `city`='$city'" I want to also include a search form. They way I have tried, and assume would be the standard way is: if(isset($_GET['search'])) { $search = $_GET['search']; $search = "AND `name` LIKE '%$search%'"; } else { $search = ''; } So it checks if the search has been set, and if it has it then creates the msql code for it. I then adjust the sql query like so: "SELECT * FROM `hotels` WHERE `city`='$city $search'" 1. The search variable is not creating the correct sql result, so I think I may have done something wrong there. 2. Is this the usual way a search is added into the sql results? Would it be better to have" if(isset($_GET['search'])) { $search = $_GET['search']; $qry = ""SELECT * FROM `hotels` WHERE `city`='$city $search'" AND `name` LIKE '%$search%'"; } else { $qry = "SELECT * FROM `hotels` WHERE `city`='$city $search'"; } Or is there an even better way? Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/ Share on other sites More sharing options...
Barand Posted January 22, 2013 Share Posted January 22, 2013 Don't put $search inside the single quotes with $city "SELECT * FROM `hotels` WHERE `city`='$city' $search" Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/#findComment-1407453 Share on other sites More sharing options...
soycharliente Posted January 22, 2013 Share Posted January 22, 2013 I think it's worth bringing up that you should also sanitize what you're pulling from the $_GET array before putting it into your query. For me, I usually concatenate the condition on the end instead of referencing an empty string. Small distinction, same end result. Here's what I do: $link = db_connect(); $query = "SELECT * FROM hotels WHERE city='{$city}'"; if ( isset($_GET['search']) ) { $search = make_safe($link, $_GET['search']); $query .= " AND name LIKE '%{$search}%'" } if ( $result = mysqli_query($link, $query, MYSQLI_STORE_RESULT) ) { // Show results } else { // Handle error } mysqli_close($link); function make_safe($db, $string) { return mysqli_real_escape_string($db, $string); } Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/#findComment-1407460 Share on other sites More sharing options...
1internet Posted January 23, 2013 Author Share Posted January 23, 2013 concatenating is a nice idea, but I also need ORDER BY too, so I won't be able to concatenate that to the query. Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/#findComment-1407631 Share on other sites More sharing options...
1internet Posted January 23, 2013 Author Share Posted January 23, 2013 Ok, what if we just keep the query as: "SELECT * FROM `hotels` WHERE `city`='$city $search' AND `name` LIKE '%$search%' ORDER BY `name`" Then if $search is not set, then it will = '', and all queries will match that search. Is that a good way? Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/#findComment-1407633 Share on other sites More sharing options...
soycharliente Posted January 23, 2013 Share Posted January 23, 2013 The query you have won't work. You still have one of the same erros as your original post. ...WHERE `city`='$city $search'... I would continue to concatenate: $link = db_connect(); $query = "SELECT * FROM hotels WHERE city='{$city}'"; if ( isset($_GET['search']) ) { $search = make_safe($link, $_GET['search']); $query .= " AND name LIKE '%{$search}%'" } $query .= " ORDER BY `name` ASC" if ( $result = mysqli_query($link, $query, MYSQLI_STORE_RESULT) ) { // Show results } else { // Handle error } mysqli_close($link); function make_safe($db, $string) { return mysqli_real_escape_string($db, $string); } Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/#findComment-1407670 Share on other sites More sharing options...
Barand Posted January 23, 2013 Share Posted January 23, 2013 On 1/22/2013 at 11:20 AM, Barand said: Don't put $search inside the single quotes with $city "SELECT * FROM `hotels` WHERE `city`='$city' $search" On 1/23/2013 at 10:54 AM, charlieholder said: The query you have won't work. You still have one of the same erros as your original post. ...WHERE `city`='$city $search'... Exactly so. I concluded there was no point talking to those who won't listen. Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/#findComment-1407691 Share on other sites More sharing options...
1internet Posted January 24, 2013 Author Share Posted January 24, 2013 Oh right, I can keep concatenating, that will work. Sorry, I was listening, but just trying to explain what I wanted to achieve as best as possible. I still have a lot to learn on logic, but this really helps. Thanks Link to comment https://forums.phpfreaks.com/topic/273480-adding-search-into-a-sql-query/#findComment-1407872 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.