Home/ Questions/Q 8981713
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T20:24:18+00:00

I’m working on a search engine on my website. Users can add on criteria

  • 0

I’m working on a search engine on my website. Users can add on criteria which is submitted with a GET in the url.

When users select for example 1 criteria, it looks like this:

localhost/search.php?course=1&price=&name=

They have 3 criteria they can select, so as you see he only selected COURSE.

Now I have to select from the database according to the criteria so my code looks like this:

if ($_GET['price'] > 0 && $_GET['name'])
{
    $search_price = $_GET['price'];
    $search_name = $_GET['name'];

    $result2 = mysql_query("SELECT id, name, price, views, userid, type, anonymous FROM files WHERE course='$course_id' AND price < $search_price AND name LIKE '%$search_name%'");
}
elseif ($_GET['price'] > 0)
{
    $search_price = $_GET['price'];

    $result2 = mysql_query("SELECT id, name, price, views, userid, type, anonymous FROM files WHERE course='$course_id' AND price < $search_price");
} 
elseif ($_GET['name'])
{
    $search_name = $_GET['name'];

    $result2 = mysql_query("SELECT id, name, price, views, userid, type, anonymous FROM files WHERE course='$course_id' AND name LIKE '%$search_name%'");
}
else 
{
    $result2 = mysql_query("SELECT id, name, price, views, userid, type, anonymous FROM files WHERE course='$course_id'");
}

while ($row2 = mysql_fetch_assoc($result2))
                                        {
.....

But this can not be the correct way, because if eventually users can select 10 criteria this is going to be a very long code

How do I fix this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What I would do is dynamically create the sql query,and then execute it at the end. So something like this

    $query_string = "SELECT blahblah, blahblah, blah blah from blahx where 1=1 ";
$where = "";

if(isset($_GET['somecriteria']))
{
    $where .= " AND blahblah = $_GET['somecriteia'] ";
}
if(isset($_GET['someOTHERcriteria']))
{
    $where .= " AND blahblah=$_GET['someOTHERcritera'] ";
}
mysql_query($query_string . $where);

    etc..
    Take note this is just to show you how to achieve your objective. This is obviously prone to SQL Injection attacks and you’d have to clean the stuff up.

    • 0