searching from the url

what is the best way to search through a database through variables from the url? I was looking at making a complex if {} else {} system, but it is daunting. Iw as wondering if anyone had any shortcuts they knew of, is there a function of php I don't know of maybe that would help me out? any ehlp is much appreciated thanks.

Please clarify this request. I'm not sure what you are asking.

Yes, I am not really sure as to what you mean by this. If you mean just searching for alets say a news article and in the url id=2 the you would do:



If this is no what you mean then you will have to be more specific and give an example.

Don't Do This:

Do This:


This is because register_globals are most likely turned off in your later versions of PHP.
This can cause all sorts of portability problems.

just on another note regarding search queries... I log every search item which people enter to search my site... on in particular stood out... it was the following:

; delete from members; delete from customers;

my search SQL statement was simply

SELECT * FROM table WHERE word LIKE search;

I think that if I hadnt had the extra ";" at the end, the user who entered the search above (delete) could have deleted the tables..!!? (any input on that would be appreciated!!)

Would this have worked if I didnt have the ";" ??

To answer your question, thecharking, I would simply write an SQL statement which queries the DB using all the search terms. You could do it all in one statement, then simply output the results... that shouldnt really need too many IF statements...

IF no results... echo "no results" else <show results>!!

I realized that when I posted it, I posted that method because he sounds like a beginner and didnt want to confuse him. Also, it is unlikely that this application will be used as a large scale app, therefor portability is not as great a concern as it would be if it was a larger application, and he wasnt a beginner.

And before you reply to this one, take note of the actual words I have used such as "unlikey", not impossible.

Point taken devilfish... he may have been a beginner.
I agree.

The only issue I see with not telling a user to use the $_GET style is that they will eventually see information telling them to use one or the other, then they are going to be really confuse and end up having to do the research anyway.

Better to learn it early then have to wait and struggle through it.

Could have, fakker. That's why you should always validate your data. If you're doing an query by id passed through a form field or at the query string, then run intval() on the results to verify that somebody's not sending you something like



in which case your query might be well-formed and some damage could be done. If somebody passed that value to your variable and you validated it to make sure you had an integer, then their malicious attempt would be foiled.

Any time I'm reading data for insert or update, I make sure I place my quotes manually and run addslashes() to turn any value sent into a field value rather than a statement. There are probably more and better ways to validate user input, but these're a good start.

alright so, sorry i wasn't clear, and haven't been able to respond to all your responses (thanks btw). Alright so I want to simply allow a user to search from a page for certain users, by name, age, whatever info is in the db... and see I can do this for each thing by passing the variables through the url (and I always change the url variable into a page variable with $_GET['']). But say that someone wants to find a user based on age and name. Well what would be the best way to do this? because if I try querying the db according to which things are passed, by using if statements that means I have to check for each one in various ways... is there a way to query a db by say, trying select * from users where userid = $userid and/or blah = $blah... anyway is there a way to do that that seems fast. if not, I would like to know how to search according to many variables at once.

thanks guys

well,...this can get complex,....you need to provide for every option you plan to search by...

here is how I specify the sort method and the direction of the sort.


you really need to step back and think about this,..because you need to build this so that you only query the fields that are present. that will speed your search up considerably.

There are lots of little details that you must consider.

1. What your SQL will look like if the user searches by their word in full or just with whatever they type in return anything with that word in it... take a look at google's advanced search: http://www.google.com/advanced_search

You will notice they have 4 options at the top. Each of these produces different SQL in the WHERE portion.

For instance, if I wanted to do a search on FirstName and LastName, sql would look something like this:
Notice the "%" placement. This would grab any firstname or lastname with the specified criteria anywhere in that field.
For a full word match you would just do WHERE field = word. You can still use the LIKE pattern if you want but it does slow you down a little bit.

2. Next you just need to rember you will need to build your query up from whatever is posted to the search script. This means you have to code in conditions for every field selected to search on. Just remember that you can treat this part of your SQL as an array and just split it... instead of the usual comma as a delimiter use the SQL constructs to tie them all together again.

i was afraid it would be complex. okay so i guess I'll just have think about it a lot and do it. I was hoping there was a shortcut. Oh well this ought to be fun. I'll tell you if I get more problems, and I'm sure I will....

the best way to learn is to do it,.....you will start out small then think to yourself,..."hey,...if I did this and this,...it would be sooo much more flexible",....then you will upgrade your code,...and go through this process forever