PHP PDO bind dynamic field and value from search box -
i trying run query using pdo prepared statements allows me have user select field , enter value field, , include in query.
so in basic query:
$sql = "select lastname, firstname administrators status=:status "; $stmt->bindparam(':status',$status, pdo::param_str);
works great.
but have search form allows user select drop down shows firstname, lastname , text box enter search term
$sql = "select lastname, firstname administrators status=:status **and field = term**";
i have not found examples online far. guidance appreciated.
i using:
$params = array(); if (!empty($searchfield) && !empty($searchfor)) { $params['searchfield'] = $searchfield; $params['searchfor'] = $searchfor; }
but getting error: fatal error: uncaught exception 'pdoexception' message 'sqlstate[42s22]: column not found: 1054 unknown column 'searchfield' in 'where clause''
updated code:
here code using form:
<input id="searchtext" name="searchtext" type="text" placeholder="search" value="<?php echo getparam('searchtext'); ?>" /> <select name="searchby"> <option value="">search by</option> <option id="lastname" value="lastname" <?php if(getparam('searchby') == 'lastname'){echo "selected='selected'";}?>>last name</option> <option id="firstname" value="firstname" <?php if(getparam('searchby') == 'firstname'){echo "selected='selected'";}?>>first name</option> <option id="rolename" value="rolename" <?php if(getparam('searchby') == 'rolename'){echo "selected='selected'";}?>>role name</option> </select> <input type="submit" id="submit" name="command" value="search" />
and here code method:
public function getallusers($status = 'a',$searchfield = '',$searchfor = '') { $db=db::getinstance(); $sql = "select administrators.adminid, adminemail, lastname, firstname, primaryphone, cellphone, administrators.status, logindatetime, rolename administrators inner join permissions on permissions.adminid=administrators.adminid inner join roles on roles.roleid=permissions.roleid inner join sessions on sessions.adminid=administrators.adminid status=:status "; $stmt=$db->prepare($sql); $stmt->bindparam(':status',$status, pdo::param_str); $stmt->execute(); return $stmt->fetchall(pdo::fetch_obj); }
you can't use parameters identifiers (table / column names, etc). you'll need sanitise these appropriately , inject them query string. can still use parameter value. i'd go set list of searchable columns. example
// create map of field key column name mappings $searchcols = array( 'fn' => 'firstname', 'ln' => 'lastname' );
when showing form, can use generate options
<select name="searchfield"> <?php foreach ($searchcols $key => $label) : ?> <option value="<?= htmlspecialchars($key) ?>"><?= htmlspecialchars($label) ?></option> <?php endforeach ?> </select>
now use build query
// you'll want more validation around $searchfield = $searchcols[$_post['searchfield']]; $query = sprintf('select lastname, firstname administrators status = :status , `%s` = :searchterm', $searchfield); // prepare statement , bind status, etc ... $stmt->bindparam(':searchterm', $searchfor);
Comments
Post a Comment