Home/ Questions/Q 6922813
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T10:27:18+00:00

I have been happy just adding an if statement here and there to a

  • 0

I have been happy just adding an if statement here and there to a page on my site to produce a data list but now its in the 000’s of lines of code and its messy.

I’m sure there is a better logic to what I am doing so any help would be good.

This is my logic (or how is should work)

check access lvl and add to sql - `accesslvl` = '1' 
Check if get_status is set - if set add to sql
check if get_product is set - if set add to sql
check if get_compnay is set - if set add to sql
check if get_datefrom is set - if set add to sql
check if get_dateto is set - if set add to sql

run query

now i have used lots of nested divs to work out if the gets are set, and if not dont and them to the sql, also it has to work out weather a WHERE or AND is needed.

I found this post creating a mysql search string dynamically?

And I was thing maybe this could help but not sure.
Example of my code.

if (isset($_GET['product'])&& $_GET['product'] >0){
        $product = $_GET['product'];
        if($a == 1){
            $sql_fields ="WHERE `Status_ID` = '$status' AND `Product` = '$product'";
        }
        else {
                $sql_fields ="WHERE `Product` = '$product'";
        }
        $b++;
    }
if (isset($_GET['company'])&& $_GET['company'] >0){
        $company = $_GET['company'];
        if($a == 0 && $b == 0){
                $sql_fields ="WHERE `Company_ID` = '$company'";
            }
        else if($a == 0 && $b == 1){
            $sql_fields ="WHERE `Product` = '$product' AND `Company_ID` = '$company'";
        }
        else if($a == 1 && $b == 0){
            $sql_fields ="WHERE `Status_ID` = '$status' AND `Company_ID` = '$company'";
        }
        else {
                $sql_fields ="WHERE `Status_ID` = '$status' AND `Product` = '$product' AND `Company_ID` = '$company' ";
        }
        $c++;
    }
if ($a == 0 && $b == 0 && $c == 0){
        $sql_fields =" ";
    }
if (isset($_GET['date_from']) && $_GET['date_from'] >0 && isset($_GET['date_to'])&& $_GET['date_to'] >0){
        if ($access_level == 1){
            if ($a == 0 && $b == 0 && $c == 0){
            $search_date = "WHERE `Date_added` >= '$date_from' AND `Date_added` <= '$date_to'";
            }
            else {
            $search_date = "AND `Date_added` >= '$date_from' AND `Date_added` <= '$date_to'";
            }
    }
if ($access_level ==2 or $access_level ==3){
            if ($a == 0 && $b == 0 && $c == 0){
            $search_date = " `Date_added` >= '$date_from' AND `Date_added` <= '$date_to'";
            $and = "AND";
            }
            else {
            $search_date = " `Date_added` >= '$date_from' AND `Date_added` <= '$date_to'";
            $and = "AND";
            }
        }

    }
else {
        $search_date = "";
        $and = "";
}

Here is my revised code!

$fields = array();

if (isset($_GET['status']) && $_GET['status'] >0){
    $status = $_GET['status'];
    $fields['Status_ID']= $_GET['status'];
    }
if (isset($_GET['product']) && $_GET['product'] >0){
    $product = $_GET['product'];
    $fields['Product_ID']= $_GET['product'];
    }
if (isset( $_GET['company']) && $_GET['company'] >0){
    $company = $_GET['company'];
    $fields['Company_ID']= $_GET['company'];
    }
if (isset( $_GET['closer']) && $_GET['closer'] >0){
    $closer = $_GET['closer'];
    $fields['Closer']= $_GET['closer'];
    }
if (isset( $_GET['date_from']) && $_GET['date_from'] >0 && isset( $_GET['date_to']) && $_GET['product'] >0){
    $date_from = $_GET['date_from'];
    $date_from = $_GET['date_to'];
    }
$field_count = count($fields);
if ($field_count == 0){
    $sql = "";
}
else {
    $field_count --;
    $sql="";
    $i=0;
        foreach($fields as $k => $v) {
            if($i==0){
                $sql = "WHERE `$k`  = '$v'";
                }
            else{
            $sql .=" AND `$k`  = '$v'";
            }
    $i++;

    }
}
 echo $sql;
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Firstly, there’s no need for the conditional branches to determine the right SQL keyword to use (just use the joining keyword as the state variable instead). Also your code is vulnerable to SQL injection and may result in queries not using indexes effectively. Consider:

    $join='WHERE';
$sql_filter='';
// potentially te following field meta data could be stored in a DB or file...
// or even selectively overriden at run time by the request...
$qbe=array(
   array('get_name'=>'product',
         'db_name'=>'Product',
         'op' => '=',
         'type'=>'string'),
   array('get_name'=>'date_from',
         'db_name'=>'date_added',
         'op' => '>=',
         'type' =>'date'),
   array('get_name'=>'date_to',
         'db_name'=>'date_added',
         'op' => '<=',
         'type' =>'date')
   ....
);
foreach ($qbe as $f) {
    $sql_filter=add_filter($sql_filter, $join, $f['get_name'],
      $f['type'], $f['op'], $f['db_name']);
}

function add_filter($sql_filter, &$join, $get_name, $type, $op, $db_name)
{
   $mod_filter=$sql_filter;
   if ($_GET[$get_name]) {
      switch(upper($type)) {
         case 'DATE':
            $mod_filter=$mod_filter 
              . " $join $db_name $op " 
              . date(strtotime($_GET[$get_name]), 'YmdHis');
            break;
         case 'NUMBER':
            $match=array();
            if (preg_match('/([-+]?[0-9]*\.?[0-9]+([eE][-+]?[0-9]+)?)/', $_GET[$get_name], $match) {
              $mod_filter=$mod_filter 
              . " $join $db_name $op " . $match[0];
            }
            break;
         default:
            $mod_filter=$mod_filter . " $join $db_name $op '" .
                mysql_real_escape_string($_GET[$get_name]) . "'";
            break;
      }
      if ($mod_filter != $sql_filter) {
           $join='AND';
      }
      return $mod_filter;
   }
    • 0