On 5/21/05, virtualsoftware@xxxxxxxxx <virtualsoftware@xxxxxxxxx> wrote:
> Hi,
>
> I need to build up a search module for a shop. If I make a basic search (product title for example) it is ok.
>
> $query = "SELECT product_id FROM products WHERE title LIKE '%$title%'";
>
> But i need an advance search for more than one field (title, description, price, weight)
> The problem is that i don't know which field is filled in by the user (title, description, price or weight)
Without error checking, or security code(ie supplied code contains SQL
injection vulnerability):
$sql = "SELECT product_id FROM products WHERE ";
if($_GET['title']){
$sql_ext[] = "title like '%{$_GET['title']}%' ";
}
if($_GET['description']){
$sql_ext[] = "description like '%{$_GET['description']}%' ";
}
$sql .= implode(" OR ", $sql_ext );
> I mean, the user can fill in all fields, or only price field, or title and weight etc
>
> How can i do the search?
>
> Thanks
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
