How can I search for multiple variables in a mysql database at the same time with php?

Question

I can receive a variable from a user in a form and send it to another page. There I get the variable and search it in the database. But when I try to allow the user to search multiple variables at the same time (that is, they can search for one or more items), I have a problem and I can not write a query in such a way that when the user Enter the item and also search for when more than one item has been entered. This is my html document

<form name="search-class-form" id="search-class-form" action="search.php" method="post">
 <div class="rafig-margin">
  <label for="class_id">calss id: </label>
  <input type="number" name="class_id" id="class_id"><br>
 </div>
 <div class="rafig-margin">
  <label for="className">teacher name: </label>
  <input type="text" name="name" id="className"/>
 </div>
 <div class="rafig-margin">
  <label for="grade">level: </label>
  <input type="number" name="paye" id="grade" min="1" max="13"/>
 </div>
 <input type="hidden" name="student_id" value="<?= $_GET['id'] ?>"/>
 <div class="rafig-margin">
  <button class="rafig-button" style="float: left" type="submit" id="search-class">جستجو کن</button>
 </div>
</form>

And this is my php page:

<?php
$condition ="";
if(isset($_POST['id'])&&!empty($_POST['id']))
 {$id = $_POST['id'];
 $condition .= "WHERE id=".$_POST['id'];
 }
if(isset($_POST['name'])&&!empty($_POST['name']))
 {$name = $_POST['name'];
 $condition .= " WHERE id=".$_POST['name'];
 }
if(isset($_POST['paye'])&&!empty($_POST['paye']))
 {$level = $_POST['paye'];
 $condition .= " WHERE paye=".$_POST['paye'];
 }
$student_id = $_POST['student_id'];
include_once ("../classes/conect.php");
$query = "SELECT * FROM calss ".$condition;

I know how to continue

**Warning!** You're open to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! Read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) by using prepared statements with bound parameters instead of injecting variables directly into your queries. It's not just about security. If your data contains, for example, a single quote `'`, your query will break. — M. Eriksson, Jul 25 '21 at 10:19
Please format your code properly when posting it here. Remove the unnecessary indention from the HTML block and add some sensible indention and line breaks to the second part. It's very messy and hard to read at the moment. You also have a typo: `f(isset($_POST['paye'])&&!empty($_POST['paye']))` (missing the `i` in `if`). There also seem to be other typos. You should make it as easy as possible for us to read it. — M. Eriksson, Jul 25 '21 at 10:21
Why voting down a new contributor just because he doesn't know exactly how to post his code? Personally I prefer to be a little more welcoming and tolerant. — migli, Jul 25 '21 at 10:35
@migli - I'm not the down voter, but when you post a question, there are links telling you how to properly format your question. You also get a preview of the question before you post it. Imho, if someone asks other people to spend their time helping them, they can at least make sure that the question is as well written as possible. It also contains typos that would throw errors, which indicates it's a "sloppy" rewrite of their code instead of a proper copy/paste, or they've just ignored to mention any errors their getting. — M. Eriksson, Jul 25 '21 at 10:40
I tried to write the code better and cleaner. That was my first question here. Therefore, I am not very familiar with the environment of this site. But I try to be more careful than before. Thanks for the tips Magnus Eriksson @migli Thank you for your answer — rafig khiyavi, Jul 26 '21 at 13:22

migli · Answer 1 · 2021-07-25T10:46:36.997

-1

Welcome in stackoverflow.

Your code is a bit redundant, you'd better do this within a loop. You just have to use a variable to replace 'WHERE' with 'AND' after the 1st condition.

To avoid SQL injections, @Magnus Eriksson is right, prepared statements are the best way. Else the mysql_real_escape_string() function will prefix the single quotes with a backslash, which will secure your query.

Here's a sample code:

<?php
include_once ("../classes/conect.php");

$keys = ['id', 'name', 'paye', 'student_id'];
$where = ' WHERE ';
$query = 'SELECT * FROM calss';

foreach($keys as $k) {
    if (isset($_POST[$key])) {
        $query .= $where . $k = ' . mysql_real_escape_string($_POST[$k]);
        $where = ' OR '; // don't know if you want "OR" or "AND"
    }
}

edited Jul 25 '21 at 10:46

answered Jul 25 '21 at 10:32

migli

2,692
27
32

4

**Warning!** This code is open to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! Read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) by using prepared statements with bound parameters instead of injecting variables directly into your queries. `addslashes()` is _not_ by any means enough to prevent SQL injections. – M. Eriksson Jul 25 '21 at 10:34
addslashes is better than nothing. mysql_real_escape_string is better than addslashes pdo is the perfect clean solution. (I edited my answer, thanks) So you're the downvote freak? – migli Jul 25 '21 at 10:46
2

1. I only down voted this because it proposed insecure code (which is a perfectly valid reason for a down vote) which made it a low quality answer. 2. I only down voted this, not the OP's question (like I've already told you). 3. _"addslashes is better than nothing. mysql_real_escape_string is better than addslashes"_ - It doesn't matter if x is better than y of neither is good enough. When it comes to security, the only "good enough" is the absolute best way possible, which is to use prepared statements with bound parameters. Period. And mysqli can be just as secure as PDO if used correctly. – M. Eriksson Jul 25 '21 at 10:50
I'm not so sure that addslashes and deprecated and insecure APIs are better than nothing. I think addslashes is essentially the same as nothing. It's easy (arguably actually easier) to write to secure code, so let's do it! – Jul 25 '21 at 13:26
`mysql_real_escape_string` is neither 100% safe... but I'm using it in some internal apps – Flash Thunder Jul 26 '21 at 13:24
this is good. But it can not manage strings. – rafig khiyavi Jul 30 '21 at 15:15

How can I search for multiple variables in a mysql database at the same time with php?

1 Answers1