I have to make a car website that filters cars depending on a preset mysql database. I have got it to filter if all are selected (eg: Honda, white, petrol and not on special - it will show that car) but if I just wanted to see all the Honda's (for example) nothing shows.
This is the code I have:
if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) || isset($_GET['special'])){
if(isset($_GET['make'])){
$make = $_GET['make'];
}
if(isset($_GET['colour'])){
$colour = $_GET['colour'];
}
if(isset($_GET['fueltype'])){
$fueltype = $_GET['fueltype'];
}
if(isset($_GET['special'])){
$special = $_GET['special'];
}
$result = mysqli_query($con,"SELECT * FROM Cars WHERE MAKE ='$make' AND COLOUR = '$colour' AND FUELTYPE = '$fueltype' AND SPECIAL = '$special'");
}
else{
$result = mysqli_query($con,"SELECT * FROM Cars");
}
the else statement makes all the cars show up when you open the page before filtering.
escape can mean: mysql_escape_string, check against a list of valid/allowed values, or whatever you want after good thinking.
$where = "";
$separator = " WHERE ";
if(isset($_GET['make'])){
$make = $_GET['make'];
!! escape here
$where .= $separator . " MAKE = '$make' ";
$separator = " AND ";
}
if(isset($_GET['colour'])){
$colour = $_GET['colour'];
!! escape here
$where .= $separator . " COLOUR = '$colour' ";
$separator = " AND ";
}
...
$result = mysqli_query($con,"SELECT * FROM Cars " . $where);
Here is how you can do it. Please do something for sql injection attacks. This is only example.
$query = "SELECT * FROM Cars ";
$where = array();
if(isset($_GET['make'])){
$where['make'] = $_GET['make'];
}
if(isset($_GET['colour'])){
$where['colour'] = $_GET['colour'];
}
if(isset($_GET['fueltype'])){
$where['fueltype'] = $_GET['fueltype'];
}
if(isset($_GET['special'])){
$where['special'] = $_GET['special'];
}
$string = '';
if(count($where)>0){
$i=0;
foreach($where as $key => $value)
{
if($i==0){
$string .= " WHERE $key = $value ";
}else{
$string .= " AND $key = $value ";
}
$i++;
}
}
$query .= $string;
mysqli_query($query);
if(isset($_GET['make']) || isset($_GET['colour']) || isset($_GET['fueltype']) || isset($_GET['special'])){
$where="WHERE ";
if(isset($_GET['make'])){
$make = $_GET['make'];
$where .="MAKE ='$make' AND";
}
if(isset($_GET['colour'])){
$colour = $_GET['colour'];
$where .="COLOUR = '$colour' AND";
}
if(isset($_GET['fueltype'])){
$fueltype = $_GET['fueltype'];
$where .="FUELTYPE = '$fueltype' AND";
}
if(isset($_GET['special'])){
$special = $_GET['special'];
$where .="SPECIAL = '$special";
}
$where=rtrim($where,'AND');
$result = mysqli_query($con,"SELECT * FROM Cars".$where);
}
else{
$result = mysqli_query($con,"SELECT * FROM Cars");
}
Ignoring the security issues you could replace your whole code with something like this:
$query = "SELECT * FROM Cars WHERE 1 = 1";
if (isset($_GET['make']))
$query .= ' AND MAKE = ' . (int) $_GET['make'];
if (isset($_GET['colour']))
$query .= ' AND COLOUR = ' . (int) $_GET['colour'];
if (isset($_GET['fueltype']))
$query .= ' AND FUELTYPE = ' . (int) $_GET['fueltype'];
if (isset($_GET['special']))
$query .= ' AND SPECIAL = ' . (int) $_GET['special'];
$result = mysqli_query($con, $query);