PHP PDO bind dynamic field and value from search box -


i trying run query using pdo prepared statements allows me have user select field , enter value field, , include in query.

so in basic query:

$sql = "select lastname, firstname administrators status=:status ";  $stmt->bindparam(':status',$status, pdo::param_str); 

works great.

but have search form allows user select drop down shows firstname, lastname , text box enter search term

$sql = "select lastname, firstname administrators status=:status **and field = term**"; 

i have not found examples online far. guidance appreciated.

i using:

$params = array();     if (!empty($searchfield) && !empty($searchfor))      {         $params['searchfield'] = $searchfield;         $params['searchfor'] = $searchfor;     } 

but getting error: fatal error: uncaught exception 'pdoexception' message 'sqlstate[42s22]: column not found: 1054 unknown column 'searchfield' in 'where clause''

updated code:

here code using form:

 <input id="searchtext" name="searchtext" type="text" placeholder="search" value="<?php echo getparam('searchtext'); ?>" />                                <select name="searchby">                                 <option value="">search by</option>                                 <option id="lastname" value="lastname" <?php if(getparam('searchby') == 'lastname'){echo "selected='selected'";}?>>last name</option>                                 <option id="firstname" value="firstname" <?php if(getparam('searchby') == 'firstname'){echo "selected='selected'";}?>>first name</option>                                 <option id="rolename" value="rolename" <?php if(getparam('searchby') == 'rolename'){echo "selected='selected'";}?>>role name</option>                             </select>                             <input type="submit" id="submit" name="command" value="search" /> 

and here code method:

public function getallusers($status = 'a',$searchfield = '',$searchfor = '') { $db=db::getinstance(); $sql = "select administrators.adminid, adminemail, lastname, firstname, primaryphone, cellphone, administrators.status, logindatetime, rolename administrators inner join permissions on permissions.adminid=administrators.adminid inner join roles on roles.roleid=permissions.roleid inner join sessions on sessions.adminid=administrators.adminid status=:status ";  $stmt=$db->prepare($sql); $stmt->bindparam(':status',$status, pdo::param_str);  $stmt->execute(); return $stmt->fetchall(pdo::fetch_obj); } 

you can't use parameters identifiers (table / column names, etc). you'll need sanitise these appropriately , inject them query string. can still use parameter value. i'd go set list of searchable columns. example

// create map of field key column name mappings $searchcols = array(     'fn' => 'firstname',     'ln' => 'lastname' ); 

when showing form, can use generate options

<select name="searchfield">     <?php foreach ($searchcols $key => $label) : ?>     <option value="<?= htmlspecialchars($key) ?>"><?= htmlspecialchars($label) ?></option>     <?php endforeach ?> </select> 

now use build query

// you'll want more validation around $searchfield = $searchcols[$_post['searchfield']];  $query = sprintf('select lastname, firstname administrators status = :status , `%s` = :searchterm',     $searchfield);  // prepare statement , bind status, etc ...  $stmt->bindparam(':searchterm', $searchfor); 

Comments

Popular posts from this blog

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

web - SVG not rendering properly in Firefox -

java - JavaFX 2 slider labelFormatter not being used -