I am having a problem using a dynamic where clause. I have a feeling
that I am overlooking something very simple, although I can't seem to
figure it out.
The error i'm getting is: You have an error in your SQL syntax. Check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'ORDER BY full_name ASC LIMIT 0,25'
Any help would be greatly appreciated.
here is my code:
$ssn = $_POST['ssn'];
$state = $_POST['state'];
$lastname = $_POST['lastname'];
$firstname = $_POST['firstname'];
$whereclause .= ($ssn)?" and ssn='$ssn'":"";
$whereclause .= ($state)?" and state='$state'":"";
$whereclause .= ($firstname)?" and firstname like '%$firstname%'":"";
$whereclause .= ($lastname)?" and lastname like '%$lastname%'":"";
$where = 'WHERE'.substr($whereclause, 4);
// Define sql to list customers
$sql_customers = "SELECT customers.*,
date_format(customers.create_date, '%m/%d/%Y') as create_date,
concat(customers.lastname,', ',customers.firstname) as
full_name,
products.description,
lookupclientstatus.status
FROM customers
INNER JOIN products ON
customers.product_id=products.product_id
INNER JOIN lookupclientstatus ON
customers.status_id=lookupclientstatus.status_id
$where
ORDER BY full_name ASC
LIMIT $from,$max_results
";
7  3524 
diroddi wrote: $whereclause .= ($ssn)?" and ssn='$ssn'":"";
$whereclause .= ($state)?" and state='$state'":"";
$whereclause .= ($firstname)?" and firstname like '%$firstname%'":"";
$whereclause .= ($lastname)?" and lastname like '%$lastname%'":"";
$where = 'WHERE'.substr($whereclause, 4);
You should try outputting your SQL statement to see what it looks like.
If you did, you would see something that the first term of your
WHERE clause begins with "and". (WHERE and ssn=.....) You need to keep
track of whether or not you have added a term to the WHERE clause and
only include the "and" for terms other than the first.
NM
--
convert uppercase WORDS to single keystrokes to reply
diroddi wrote: I am having a problem using a dynamic where clause.
So you have an SQL question, not a PHP question.
$ssn = $_POST['ssn'];
$state = $_POST['state'];
$lastname = $_POST['lastname'];
$firstname = $_POST['firstname'];
$whereclause .= ($ssn)?" and ssn='$ssn'":"";
$whereclause .= ($state)?" and state='$state'":"";
$whereclause .= ($firstname)?" and firstname like '%$firstname%'":"";
$whereclause .= ($lastname)?" and lastname like '%$lastname%'":"";
Uhm... that's all you check? Major security issue here!
$where = 'WHERE'.substr($whereclause, 4);
read the documentation on implode, that's probably a better way to get
your "and"'s.
Also, what if $whereclause is empty?
// Define sql to list customers
$sql_customers = "SELECT customers.*,
date_format(customers.create_date, '%m/%d/%Y') as create_date,
concat(customers.lastname,', ',customers.firstname) as
full_name,
products.description,
lookupclientstatus.status
FROM customers
INNER JOIN products ON
customers.product_id=products.product_id
INNER JOIN lookupclientstatus ON
customers.status_id=lookupclientstatus.status_id
$where
ORDER BY full_name ASC
LIMIT $from,$max_results
";
Do an echo $sql_customers and check this. Otherwise, feed this directly
to mysql (guessing you use that one) and see what line it reports.
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
diroddi wrote (in part): The error i'm getting is: You have an error in your SQL syntax. Check
the manual that corresponds to your MySQL server version for the
right syntax to use near 'ORDER BY full_name ASC LIMIT 0,25'
Any help would be greatly appreciated.
here is my code:
$ssn = $_POST['ssn'];
$state = $_POST['state'];
$lastname = $_POST['lastname'];
$firstname = $_POST['firstname'];
$whereclause .= ($ssn)?" and ssn='$ssn'":"";
$whereclause .= ($state)?" and state='$state'":"";
$whereclause .= ($firstname)?" and firstname like '%$firstname%'":"";
$whereclause .= ($lastname)?" and lastname like '%$lastname%'":"";
$where = 'WHERE'.substr($whereclause, 4);
// Define sql to list customers
$sql_customers = "SELECT customers.*,
date_format(customers.create_date, '%m/%d/%Y') as create_date,
concat(customers.lastname,', ',customers.firstname) as
full_name,
products.description,
lookupclientstatus.status
FROM customers
INNER JOIN products ON
customers.product_id=products.product_id
INNER JOIN lookupclientstatus ON
customers.status_id=lookupclientstatus.status_id
$where
ORDER BY full_name ASC
LIMIT $from,$max_results
";
Have you tried printing out your query before you execute it? SQL is
telling you that you have an error in your query. What does it look
like?
Ken
News Me wrote: diroddi wrote:
$whereclause .= ($ssn)?" and ssn='$ssn'":"";
$whereclause .= ($state)?" and state='$state'":"";
$whereclause .= ($firstname)?" and firstname like '%$firstname%'":"";
$whereclause .= ($lastname)?" and lastname like '%$lastname%'":"";
$where = 'WHERE'.substr($whereclause, 4);
You should try outputting your SQL statement to see what it looks like.
If you did, you would see something that the first term of your WHERE
clause begins with "and". (WHERE and ssn=.....) You need to keep track
of whether or not you have added a term to the WHERE clause and only
include the "and" for terms other than the first.
NM
Whoops! Missed the "substr". NEVER MIND!
NM
--
convert uppercase WORDS to single keystrokes to reply
News Me wrote: diroddi wrote:
$whereclause .= ($ssn)?" and ssn='$ssn'":"";
$whereclause .= ($state)?" and state='$state'":"";
$whereclause .= ($firstname)?" and firstname like '%$firstname%'":"";
$whereclause .= ($lastname)?" and lastname like '%$lastname%'":"";
$where = 'WHERE'.substr($whereclause, 4);
You should try outputting your SQL statement to see what it looks like.
If you did, you would see something that the first term of your WHERE
clause begins with "and". (WHERE and ssn=.....) You need to keep track
of whether or not you have added a term to the WHERE clause and only
include the "and" for terms other than the first.
NM
Even easier, do something like this: assuming that $ssn, $state,
$firstname and $slastname all have values:
$where_items[] = "ssn='$ssn'";
$where_items[] = "state='$state'";
$where_items[] = "firstname like '%$firstname%'";
$where_items[] = "lastname like '%$lastname%'";
$where = 'WHERE ' . join(' AND ', $where_items);
JP
--
Sorry, <de*****@cauce.org> is a spam trap.
Real e-mail address unavailable. 5000+ spams per month.
Thanks for the fast responses everybody.
Turns out that it was the empty $where. Hers's what I added to correct
it.
$tmp_where = 'WHERE '.substr($whereclause, 4);
if($tmp_where=="WHERE ")
{
$where="";
}
else
{
where=$tmp_where;
}
I am a novice experimenting with different things. If there is a better
way (and I'm sure there is) to use variables
to build SQL where clauses I really want to know. Also, if anybody
knows of better place to post on MySQL I really need to know.
I'm off to read about cleaning my variables from harm, intentional or
otherwise. I'm going to start with addslashes() and stripslashes(). Any
other ideas?
Thanks again
diroddi wrote: Turns out that it was the empty $where. Hers's what I added to correct
it.
$tmp_where = 'WHERE '.substr($whereclause, 4);
if($tmp_where=="WHERE ")
{
$where="";
}
else
{
where=$tmp_where;
}
Ugly hack:
You know $whereclause is either empty or " and x1=y1[ and x2=y2[ ...]]";
if you do
'WHERE 1' . $whereclause
you get something like
'WHERE 1' or
'WHERE 1 and id=6 and cat=4'
so you can get rid of the $tmp_where and substr() call and do
$sql_customers = "SELECT ...
...
WHERE 1$whereclause
ORDER BY ...";
Please don't hit me! I said it was an ugly hack :-)
--
Mail to my "From:" address is readable by all at http://www.dodgeit.com/
== ** ## !! ------------------------------------------------ !! ## ** ==
TEXT-ONLY mail to the whole "Reply-To:" address ("My Name" <my@address>)
may bypass my spam filter. If it does, I may reply from another address! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Robert Scheer |
last post by:
Hi.
I have a stored procedure on a Oracle 8.1.6 database that generates a
dynamic sql statement. This stored procedure has an output parameter
that needs to return a count from a view. I can...
|
by: jrefactors |
last post by:
I want to distinguish between static SQL, dynamic SQL, and embedded
SQL, but couldn't find too much useful resources in the web.
For example, if we put SQL statements (SELECT, INSERT, UPDATE,...
|
by: klh |
last post by:
We use DB2 Connect v 7.2 FP7 in Windows NT hitting a OS/390 DB2 v7.1
database. We have a Websphere (java) application that issues dynamic
SQL. Most of the time when we issue dynamic SQL SELECT...
|
by: Arijit Chatterjee |
last post by:
Dear Faculties,
I have a query on this statement..
===============================
CREATE PROCEDURE Check_Manage ( )
DYNAMIC RESULT SETS 1
==============================
I want to know the...
|
by: starace |
last post by:
I have designed a form that has 5 different list boxes where the
selections within each are used as criteria in building a dynamic
query. Some boxes are set for multiple selections but these list...
| | |
by: Brian Shannon |
last post by:
I have 3 combo boxes and two date text boxes on a .aspx page. The user can
fill in any of the 5 controls or none to filter a datagrid. I was hoping
someone could explain how to efficiently build...
|
by: salad |
last post by:
Operating in A97.
I didn't receive much of a response conserning Pivot tables in Access.
Pivot tables are nice, but a CrossTab will work for me too.
Using a Pivot table, one is actually...
|
by: john |
last post by:
I'm trying to build a LINQ expression that will use a dynamic construction
of a LIKE statement in the WHERE clause, it would look something like this
in SQL:
WHERE TaskGroup Like "*00*" OR...
|
by: Jay Douglas |
last post by:
Hello,
I've found some posts on creating dynamic WHERE clauses in LINQ to SQL using
predicate builders and extending lamda expressions. One issue with these
posts is all the examples only use a...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
