PHP is actioning all IF Functions not the exact match

Question

I am currently writing a search form in PHP for an SQL query. The user can enter information in any field (aslong as one has information in). Once the form is submitted the mySQL table is searched based on the criteria that they submitted.

The problem I am having is that each IF statement is running not just the one that matches exactly, e.g. if I complete all 3 criteria I get a search for the first criteria, then the second and first and then again for the first second and third.

Any help is appreciated. (This is only for internal use so I know about the SQL security etc but it not important at this point).

<?php

require 'connectdb.php';

// if there is ONLY a value in the Floor Field
if (!empty($_POST['Floor'])) 
{
  $result = mysqli_query($con, "SELECT * FROM issuelog WHERE floor='$_POST[Floor]'");
}   
while($row = mysqli_fetch_array($result))
{
  include("searchoutputform.php");
}

// if there is ONLY a value in the Floor Field
if (!empty($_POST['Floor'])) 
{
  $result = mysqli_query($con, "SELECT * FROM issuelog WHERE floor='$_POST[Floor]'");
}   
while($row = mysqli_fetch_array($result))
{
  include("searchoutputform.php");
}

// if there is ONLY a value in the flat number Field
if (!empty($_POST['flatno'])) 
{
  $result = mysqli_query($con, "SELECT * FROM issuelog WHERE   flatnumber='$_POST[flatno]'");
}   
while($row = mysqli_fetch_array($result))
{
  include("searchoutputform.php");
}

// if there is a value in the floor and flatno field then do this:
if (!empty($_POST['Floor']) && (!empty($_POST['flatno']))) 
{
  $result = mysqli_query($con, "SELECT * FROM issuelog WHERE floor='$_POST[Floor]' AND   flatnumber='$_POST[flatno]'");
}   
while($row = mysqli_fetch_array($result))
{
  include("searchoutputform.php");
}

// second if - if there is something in the floor, flatno and status field then do this:
if (!empty($_POST['Floor']) && (!empty($_POST['flatno']) && (!empty($_POST['status']))))
{
  $result = mysqli_query($con, "SELECT * FROM issuelog WHERE floor='$_POST[Floor]' AND     flatnumber='$_POST[flatno]' AND status='$_POST[status]'");
}   
while($row = mysqli_fetch_array($result))
{
  include("searchoutputform.php");
}

// if there is a value in the floor and status field then do this:
if (!empty($_POST['Floor']) && (!empty($_POST['status']))) 
{
  $result = mysqli_query($con, "SELECT * FROM issuelog WHERE floor='$_POST[Floor]' AND status='$_POST[status]'");
}   
while($row = mysqli_fetch_array($result))
{
  include("searchoutputform.php");
}

// CLOSE CONNECTION TO DATABASE 
mysqli_close($con);

?>

**Building SQL statements with outside variables makes your code vulnerable to SQL injection attacks.** Also, any input data with single quotes in it, like "O'Malley", will blow up your query. Learn about parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174) has many detailed examples. See also http://bobby-tables.com/php for alternatives & explanation of the danger. **Running SQL statements built with outside data is like eating soup made from ingredients found on your doorstep.** — Andy Lester, May 02 '14 at 12:32

score 0 · Accepted Answer · answered May 02 '14 at 10:54

0

What I think you mean by this is that if you enter a value for 'Floor' and 'flatno' and 'status' then you are getting back results for all queries. This is because the other two if statements (than the one you want) specify only that the two fields in question need filling, but not that the third must be empty. So all if conditions are met. You need to specify in each that for that condition to run, the others should be empty.

For example, make your first condition this:

if ((!empty($_POST['Floor']))&&(empty($_POST['flatno']))&&(empty($_POST['status']))){

And repeat this for all conditions. If I haven't explained this well enough let me know and I'll clarify why

answered May 02 '14 at 10:54

James Cushing

718
1
9
18

thanks for your help James, I was thinking of trying this however how do I pass a blank value that would work in this situation from my PHP form. The floor and status are dropdown fields ( – user3524782 May 02 '14 at 11:17
Exactly! Depending on whether it's a string, integer, etc. you can set different 'empty' values. See the PHP docs: [empty](http://uk1.php.net/empty) – James Cushing May 02 '14 at 13:18

score 0 · Answer 2 · answered May 02 '14 at 10:55

Try this It will help you and why writing the same while condition these many times just add once in the last:
<?php

require 'connectdb.php';

// second if - if there is something in the floor, flatno and status field then do this:

if (!empty($_POST['Floor']) && (!empty($_POST['flatno']) && (!empty($_POST['status']))))
{

    $result = mysqli_query($con,"SELECT * FROM issuelog WHERE floor='$_POST[Floor]' AND     flatnumber='$_POST[flatno]' AND status='$_POST[status]'");
}


// if there is a value in the floor and flatno field then do this:
if (!empty($_POST['Floor']) && (!empty($_POST['flatno'])))
{

    $result = mysqli_query($con,"SELECT * FROM issuelog WHERE floor='$_POST[Floor]' AND   flatnumber='$_POST[flatno]'");
}


// if there is a value in the floor and status field then do this:
if (!empty($_POST['Floor']) && (!empty($_POST['status'])))
{

    $result = mysqli_query($con,"SELECT * FROM issuelog WHERE floor='$_POST[Floor]' AND status='$_POST[status]'");
}

// if there is ONLY a value in the Floor Field
    if (!empty($_POST['Floor'])) 
{

    $result = mysqli_query($con,"SELECT * FROM issuelog WHERE floor='$_POST[Floor]'");
}   


 // if there is ONLY a value in the flat number Field
    if (!empty($_POST['flatno'])) 
{

    $result = mysqli_query($con,"SELECT * FROM issuelog WHERE   flatnumber='$_POST[flatno]'");
}   



// if there is ONLY a value in the flat number Field
if (!empty($_POST['status']))
{

    $result = mysqli_query($con,"SELECT * FROM issuelog WHERE   flatnumber='$_POST[status]'");
}



    while($row = mysqli_fetch_array($result))
  {

include( "searchoutputform.php" );
  }



// CLOSE CONNECTION TO DATABASE 
mysqli_close($con);
?>

Worth noting that fetching rows without binding requires the mysqlnd driver, which can cause problems if OP is using something like phpmyadmin — James Cushing, May 02 '14 at 13:21

PHP is actioning all IF Functions not the exact match

2 Answers2