0

I have a users page, where all the users in the system are displayed by default.

I am trying to apply filters so that users can refine their search for a user. For example, view all users who are male.

By default, to display all users on users.php, I am running this query by default:

$get_all_users = "SELECT * FROM users";

But when a user for example selected they want to view all female users on the system, then I want to run this query (example):

$get_all_users = "SELECT * FROM users WHERE gender = 'female'";

But for some reason, the query which displays all users by default, is always being executed. Here is my approach:

// get gender from radio buttons
$refined_gender = htmlentities (strip_tags(@$_POST['gender']));

$get_all_users = "SELECT * FROM users";

if (isset($_POST['submit'])){
if (isset($_POST['gender'])) {
        if ($refined_gender){
                $get_all_users = "SELECT * FROM users WHERE gender = '$refined_gender'";
        }
    }
}
Improve this question
13
  • 1
    1. Have you verified (var_dump($_POST)) that those two items are actually set? 2. This probably isn't why it's not working at this point, but htmlentities and strip_tags are not suitable for escaping input to an SQL query. Commented Mar 31, 2016 at 21:52
  • The reason you do @$_POST['gender'] is, because of the annoying warning that warned you that this key inside the POST array does not exist. So why not check if beforehand and build your WHERE clause somewhere else where you check (in a switch case) what the user picked in the frontend. 1/2 Commented Mar 31, 2016 at 21:55
  • Meaning with that, in the future, with more filters, you have a big if else construct which is hard to throw an eye at. So have a function build the WHERE is a much better approch. Also it would kill duplicate code in the process. 2/2 Commented Mar 31, 2016 at 21:56
  • 1
    Why not load all content on the page and use a client side filter to display / hide content based on the users selection. For example, when you echo the results into the page, set the gender as a class of each entry and then on the users selection toggle the class to display / hide? - Two benefits to this - reduced server load and speed of displaying the filtered results to the user. And then you could add other filterws in (for example all those people named "Bob" would be a simple thing to filter client side without the need for another query. Commented Mar 31, 2016 at 21:59
  • Is the '@' necessary next to '@$_POST['gender']'? I've never seen that used, so that might be the problem. Commented Mar 31, 2016 at 22:02

1 Answer 1

Reset to default
0

Like I would build the WHERE clause (something like that atleast) Not tested

$get_all_users = "SELECT * FROM users" . buildWhereClause($_POST);

function buildWhereClause($_POST) {
    $where = 'WHERE 1=1';
    foreach($_POST as $k => $v) {
        //check if $v is valid with a different function
        switch($k) {
            case 'gender':
                $where .= sprintf('AND `gender` = `%s`', $v);
                break;
            case 'age':
                $where .= sprintf('AND `age` = %d', $v);
                break;
        }
    }
    return $where;
}

This is a very lame function and should not be used as is. Just as an example where it could lead to. I'm sure theres clever ways of doing it and you dont always want an AND.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.