2

I am trying to implement filters which will help users refine there search for other users. Here is an image of my search parameters just to provide you with a graphical representation of what I will soon convey:

enter image description here

There are three filters:

  1. Gender
  2. Age
  3. Similarity in studies

By default, I want to convey all users on the system. So when a user goes onto users.php, every single user will be displayed, then, when the filters are applied, refine the results accordingly.

Not all three parameters have to be completed to start the search, for example, a user can simply search a female user and it should display all female users on search click.

I have tried to implement different queries for each scenario, but all users are always being displayed. If I specify I want to search for a female and then click search, it will do nothing, still showing me all users.

Also, I am struggling with the similarity in studies parameter. The way this works is that in a table called user_bio I am storing data regarding what the user is studying, the user can choose to not provide this information, so studying can also be empty in my table.

The way I want it to work is to look at what the logged in user is studying, and then find words which match in other peoples bio's. For example, I am currently logged in as Conor, and Conor is studying Computer Science. Ideally, an algorithm will run which searches other users bio from the user_bio table, and return all the users who have computer or science in their bio's. Im pretty sure this concerns the LIKE clause but I have never used it before so I cannot be certain.

Here is my current approach:

// processing filters
$refined_gender = htmlentities (strip_tags(@$_POST['gender']));
$age_from       = htmlentities (strip_tags(@$_POST['age_from']));
$age_to         = htmlentities (strip_tags(@$_POST['age_to']));
$studying       = htmlentities (strip_tags(@$_POST['studying']));

$get_all_users = mysqli_query ($connect, "SELECT * FROM users" );

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

if (isset($_POST['submit'])){   
        // if gender parameter is used ...
        if ($refined_gender){
                $gender_statement = mysqli_prepare ($connect, "SELECT * FROM users WHERE gender = ?");
                mysqli_stmt_bind_param($gender_statement, "s", $refined_gender); 
                mysqli_stmt_execute ($gender_statement);
                mysqli_stmt_close($gender_statement);
        }
        // if studying parameter used...
        if ($studying) {
            // see explanation below...
        }
        // if gender and age parameter used...
        if ($refined_gender && $age_from && $age_to){
                $gen_and_age_statement = mysqli_prepare ($connect, "SELECT * FROM users WHERE gender = ? AND age BETWEEN ? AND ?");
                mysqli_stmt_bind_param($gen_and_age_statement, "sss", $refined_gender, $age_from, $age_to); 
                mysqli_stmt_execute ($gen_and_age_statement);
                mysqli_stmt_close($gen_and_age_statement);
        }
}

Summary, what I need:

  1. The SELECT * FROM users query to be executed by default on users.php. This will show all the users in the system.
  2. For any filter to be applied. Not all filters need to be applied to get a result, a user can search for a female and click search, loading all female users in the system.
  3. I need the query to change based on what filters have been applied. So if a user has searched for a male user, and the other two options are not selected, then query will be "SELECT * FROM users WHERE gender = '$var_here'.
Improve this question
4
  • I'd recommend not suppressing error messages but handle them. Most can be solved with a simple isset(); Commented Apr 12, 2016 at 0:42
  • if ($refined_gender && $age_from && $age_to) why are you checking if these variables are true? Commented Apr 12, 2016 at 14:11
  • @EdwardBlack - My thought process behind this was "if the fields have data in them, or option is selected, do this...". Commented Apr 12, 2016 at 23:37
  • then you have to use isset e.g. if (isset($refined_gender) && isset($age_from) && isset($age_to)) Commented Apr 13, 2016 at 6:45

4 Answers 4

Reset to default
1
+50

Here iam providing code such that how can you write multiple filter option inside a single query..but here i didn't mention about your 3rd filter option studing,because its about another table and you were not mentioned it clearly such that it's linked to this table using foreign keys or following relational database structure.any way multi filter option is as follows..here i added database connect and escape injection's functions...if u don't need that neglect that part..

function escape($e_string)
{
    global $connect;
    if(!isset($connect))
    {
        // DATABASE CONNECTION QUERY
        $connect = mysqli_connect("servername", "username", "password", "");
        if (!$connect) 
            die("Connection failed: " . mysqli_connect_error());
    }   
    $e_string = trim(utf8_encode($e_string));   
    $e_string = mysqli_real_escape_string($connect,$e_string);
    return $e_string;   
}

// processing filters
$refined_gender = isset($_POST['gender']) ? escape($_POST['gender']) : '';
$age_from       = isset($_POST['age_from']) ? escape($_POST['age_from']) : '';
$age_to         = isset($_POST['age_to']) ? escape($_POST['age_to']) : '';
$studying       = isset($_POST['studying']) ? escape($_POST['studying']) : '';

$query = "SELECT * FROM users WHERE 1=1";

if (isset($_POST['submit'])){

        $addstring1 = $addstring2 = $addstring3 =  $and1 = $and2 = $and3 = "";
        $andcnt =3;

        if($refined_gender != '') 
        $addstring1 = " gender = '$refined_gender'";    

        if($age_from != '') 
        $addstring2 = " age >= '$age_from'";    

        if($age_to != '') 
        $addstring3 = " age <= '$age_to'";    

        for($i=1;$i<=$andcnt;$i++)
        ${"and".$i} =  ${"addstring".$i} != '' ? " AND" : "";

        $query .= $and1.$addstring1.$and2.$addstring2.$and3.$addstring3;

}
$get_all_users = mysqli_query ($connect, $query);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hi. I get Fatal error: Call to undefined function escape() errors on all four processing filters. Any idea why? Until then, I cannot test this appraoch
Did you copy and paste the same function 'escape' i wrote on top?..that's to make your inputs secure.to check the query working or not remove all escape function call from POST inputs..
Yes, do you mind joining this chat room, so I can ask you a few questions on your approach? chat.stackoverflow.com/rooms/109252/php-filters
1

Instead of this code:

 htmlentities (strip_tags(@$_POST['gender']));

you should validate it, like so:

 $gender = filter_input(INPUT_POST, 'gender', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^[mf]$/i']]);
 $ageFrom = filter_input(INPUT_POST, 'age_from', FILTER_VALIDATE_INT, [ 'default' => 1, 'min_range' => 1, 'max_range' => 100]);
 $ageTo = filter_input(INPUT_POST, 'age_to', FILTER_VALIDATE_INT, [ 'default' => 1, 'min_range' => 1, 'max_range' => 100]);
 $studying = filter_input(INPUT_POST, 'gender', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(similar|different|same)$/i']]);

This is simpler and more secure.

Each input should be properly validated.

Avoid using @.

Once you have the values, you can concatenate them in to your query, like so:

$types = '';
$values = [];
$query = 'SELECT * FROM users';
$where = [];

// empty tests for both null (no data in input) and false (invalid data)
if (!empty($gender)) {
    $where[] = 'gender = ?';
    $types .= 's';
    $values[] = &$gender;
}
if (!empty($ageFrom)) {
    $where[] = 'age >= ?';
    $types .= 'i';
    $values = &$ageFrom;
}
if (!empty($ageTo)) {
    $where[] = 'age <= ?';
    $types .= 'i';
    $values = &$ageTo;
}
if (!empty($studying)) {

    $field = 'user_bio';

    // Get the $user_bio value of the current user from the database

    // Change the $user_bio into a regular expression collection of words
    $regexp = '('.str_replace(' ','|',$user_bio).')';

    // Set up the where 
    switch ($studying) {
        case 'same':
            $comparison = '= ?';
            break;
        case 'different':
            $comparison = 'NOT REGEXP (?)';
            break;
        case 'similar':
            $comparison = 'REGEXP (?)';
            break;                
    }
    $where[] = $field.' '.$comparison;
    $types .= 's';
    $values[] = &$user_bio;
}

if (count($where) > 0) {
    $query .= ' WHERE '.implode(' AND ',$where);
}

// new mysqli ( host, 
$mysqli = new mysqli('localhost','root','','stuff');
$stmt = $mysqli->prepare($query);

// This allows you to use a variable number of arguments with the prepared statement
// Note the use of the ampersands on the array assignment, this ensures they are passed by reference
$params = array_merge([$types],$values);
call_user_func_array([$stmt,'bind_param'],$params);

$stmt->execute();

// Bind a variable for each column
$stmt->bind_result($user_name);

while ($stmt->fetch()) {
var_dump($result);
}
Improve this answer

11 Comments

Understood. Where you have m and f, are those just examples? i.e. should I replace them with the value's of each radio button (['male', 'female'])? Also sorry for the late response, been really busy, and I appreciate your help :)
Yes - for example <input type="radio" name="gender" value="f" id="rb-female"> and <input type="radio" name="gender" value="m" id="rb-male">
I am having couple issues validating age using your approach. Seeing as the age filter relies on two values ($age_from and $age_to) How do I validate this? Currently, I have the following $ageFilter = false; if (isset($_POST['gender'])) { $age_from = strtolower($_POST['age_from']); $age_to = strtolower($_POST['age_to']); if (!in_array($age_from, $age_to,['age_from','age_to'])) die; $ageFilter = true; } and I am 100% I have made a mistake. Also, when processing $ageFilter , how do I set it's $value? I have $values[] =&$age_from, $age_to;?
Hm, I'v been stuck on this for a while, but I get an ` Undefined variable` error and ` Call to a member function prepare() on a non-object` fatal error on this line $stmt = $mysqli->prepare($query); and I can't figure out why?
Use the object oriented notation for mysql - php.net/manual/en/class.mysqli.php
|
1

(I'm not sure why the answers already provided don't address your question sufficiently.)

I'd approach it like this. First, get rid of that first query execution to pull all users. Instead, use just a single query.

Dynamically prepare the SQL text. Start the statement with the "SELECT ... FROM users". (We'll handle appending an ORDER BY as the last step.

I'd conditionally check each "filter", to see if I need to append a condition to the WHERE clause or not.

At the start of the SQL, we'll include a "WHERE 1=1".

$sql = "SELECT ... FROM users u" 
$sql .= " WHERE 1=1";

The "WHERE 1=1" is basically useless. The optimizer is going to throw that away. The reason we add it is just to make our code easier later. We can just append our next filter with " AND condition", and not worry about whether this is the first one, and we need to use WHERE instead of AND.

We'll initialize a string and an array, to hold our bind types string "sssis" whatever it needs to be, and an array of references to the values we want to pass in.

  $bind_type = "";
  $bind_vals = array();

The processing for each filter is going to be icky... but we can do it. Check if we need to append anything to the SQL. If we do, figure out what needs to be added, including any bind placeholders. And append the type of the bind parameter ("i", "s", whatever) to the $bind_type string, and push (the reference to) a value into our $bind_vals array.

if ( $refined_gender ) {
   // figure out what that SQL text needs to look like
   // append the string to the SQL text
   $sql .= " AND u.gender = ?";

   // append type to string, and push a reference to the value into array 
   $bind_types .= "s";
   $bind_val[] = &$refined_gender;
}

Our code in there is going to be more complicated than that. That's just handling an equality comparison. We're just keeping things simple now, to illustrate the pattern.

We repeat the same kind of thing for each filter we might need to add. Check if it's needed, figure out what we need to append to the SQL text, append to the bind_types string and push (a reference to) the value into the bind_vals array.

For working this out, I'd start with working on just one condition, and get that working, to get the kinks worked out. When we add more filters, and things go awry, I know where to look for the problem. (I know what was working before.)

When I'm done with the WHERE clause, I append any ORDER BY and LIMIT that I need. This could be conditional, but in the end, we're going to wind up doing something like this:

   $sql .= " ORDER BY u.id DESC LIMIT 50";

When I'm done with all that, I've got a string containing SQL text that looks something like this:

  SELECT ...
    FROM users u 
   WHERE 1=1
     AND u.gender = ?
     AND u.age_from >= ?
     AND u.age_to   <= ?
   ORDER BY u.id DESC
   LIMIT 50

(in this example, it contains three bind placeholders. If we've done it right,

we'll have a $bind_types string containing three characters, e.g. "sii"

And we'll have a $bind_vals array that contains references to three values.

Now, we can call mysqli_stmt_prepare. If there's not an error in our SQL, we should get back a statement handle.

$stmt = mysqli_prepare($conn,$sql);

(Check the return from the prepare.)

Now we just need to bind our parameters. And this is where mysqli makes things a little hairy. If we were using PDO (or Perl DBI), calling the "bind parameter/bind value" would be easy. Those would let us pass an array of the bind values. But not mysqli. He won't let us call mysqli_stmt_bind_param with an array as an argument.

We need to run a function call like this:

mysqli_stmt_bind_param($stmt, $bind_types, &$refined_gender, &$age_from, ... );

And our problem is that we have a variable number of arguments.

There is a workaround.

We can use the call_user_func_array function.

Because the code is using procedural style and not object oriented style, the handle to the prepared statement is the first argument, the second argument is the bind types string, followed by the bind values. The bind values are already in an array. We just need to get all of those into one hugh jass array.

The array_merge function seems to be custom designed for doing this. 

 // array_merge(array($stmt), array($bind_types), $bind_vals)

That will return us a single array. Which is exactly what we need for calling the call_user_func_array function. We aren't going to need that array anywhere else (unless we're debugging, and we want to print it out).

We only need to call mysqli_stmt_bind_param if we have at least one bind placeholder in our statement. So we can shortcut around this if our $bind_types string is empty. (And we know $bind_types won't be "0" because our code never appended a "0" to it.)

 if ($bind_types) {
    call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt), array($bind_types), $bind_vals) );
 }

The first argument (to call_user_func_array) is the name of the function we want to execute, and the second argument is the hugh jass array that we want converted into a list.

And the whole point of doing that is making it dynamic, we can pass in one, two, three, bind values.

At this point, we're ready to execute the statement, and fetch the results.

Again, important to point out: mysqli_stmt_bind_param expects the bind values to be passed by reference, not by value. And that's why we pushed references to the values into the bind_vals array.

I'm not sure what question you asked.

But definitely ditch that first call to mysqli_query. That's going to return all rows in the users table.

With one or two conditions, the approach of static SQL and static bind types, and listing out the bind values is workable.

But when we get three, four, five possible filters, and all the possible combinations, that's going to be unweildy.

So we go with a more dynamic approach, dynamically creating the query, and pushing our bind values on an array as go.

Improve this answer

Comments

0

This Html page:

<form method="POST" action="">
    <input type="radio" name="rbo_gender" value="male">Male
    <input type="radio" name="rbo_gender" value="female">Female
    Age From<select name="agefrom">
        <?php
        for($i=10;$i<50;$i++):
        ?>
        <option value="<?php echo $i?>"><?php echo $i?></option>
        <?php
        endfor;
        ?>
    </select>
    Age To<select name="ageto">
        <?php
        for($i=10;$i<50;$i++):
        ?>
        <option value="<?php echo $i?>"><?php echo $i?></option>
        <?php
        endfor;
        ?>
    </select>
    Studying:
    <input type="radio" name="rbo_type" value="similar">Similar
    <input type="radio" name="rbo_type" value="exact">Exactly same
    <input type="radio" name="rbo_type" value="different">Different
    <input type="submit" name="btnsearch" value="Search">
</form>

This is php part:

if($_POST["btnsearch"])
{
   if(!empty($_POST["rbo_gender"]))
   {
       $gender = $_POST["rbo_gender"];
       $cond .= " and gender = '".$gender."'";
   }
   if(!empty($_POST["agefrom"]))
   {
       $agefrom = $_POST["agefrom"];
       $cond .= " and age >= '".$agefrom."'";
   }
   if(!empty($_POST["ageto"]))
   {
       $ageto = $_POST["ageto"];
       $cond .= " and age <= '".$ageto."'";
   }
   if(!empty($_POST["rbo_type"]))
   {
       $user_type = $_POST["rbo_type"];
       switch($_POST["rbo_type"])
       {
           case "similar": $cond .= " and user_bio like '%".$ageto."%'";
               break;
           case "exact": $cond .= " and user_bio = '".$ageto."'";
               break;
           case "different":$cond .= " and user_bio ! like '%".$ageto."%'";
               break;       
       }
   }

   $query = "select * from users where 1 ".$cond;
}

Please update query as per mysqli() & use bind param. Also instead of use @ try to use filter_input you can use REGEXP instead of like also. I have created the variable to use bind_param purpose.

Improve this answer

4 Comments

Hi, sorry for the late reply. I have tried your method after altering it requirements. But when I click search, nothing happens, it simply refreshes the page? For the moment, lets just consider the gender filter. I have ` $query = mysqli_query ($connect, "SELECT * FROM users WHERE account_type = 'user'".$cond);` as my query and when I select male from the radio option, it still shows me all users?
The code outlined here appears to be vulnerable to SQL Injection. In this day and age, there is really no excuse for failing to use prepared statements with bind placeholders, or at a minimum, properly escaping potentially unsafe values incorporated into SQL text. The approach in this answer may "work". But in terms of security, it gets a grade of FAIL.
@spencer7593, Here i had added only he concept & already mentioned that we must use bind_param & all other precaution for security....
@Freddy, please try to print "SELECT * FROM users WHERE account_type = 'user'".$cond it will give you the exact query.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.