patternphpMinor
Querying a database with PHP
Viewed 0 times
databasephpwithquerying
Problem
I'm new to PHP programming. I would love some feedback on this simple code I wrote which queries a database based on some arguments supplied by a user and returns an HTML table displaying the data.
The table in my db has three columns:
The user picks from three drop down menus on the web page and this php script is called with the data.
The table in my db has three columns:
Manufacturer, Model, ForSale.The user picks from three drop down menus on the web page and this php script is called with the data.
query($q);
// generate the output table
$output = "";
$output .= "MANUFACTURERMODELFOR SALE";
while ($res = $response->fetchArray()) {
$id = $res['Id'];
$txtMfr= $res['Manufacturer'];
$txtModel= $res['Model'];
$txtForSale = $res['ForSale'];
$output .= "$id$txtMfr$txtModel$txtForSale$status";
}
$output .= "";
echo $output;
$db->close();
?>Solution
Generally, it is a good idea to separate your view logic from your business logic, e.g your data access.
The code you've presented is procedural, and whilst there's nothing wrong with that at this stage, it could become unsustainable in terms of future maintainability.
One thing that I am conscious about, is that you are directly plugging variables into your SQL query that you are constructing: there is a risk of SQL injection. I would suggest that you wrap your variables with
You seem to be be using
I would then personally output the data into an array, which can then be passed to a view. Using a
The code you've presented is procedural, and whilst there's nothing wrong with that at this stage, it could become unsustainable in terms of future maintainability.
One thing that I am conscious about, is that you are directly plugging variables into your SQL query that you are constructing: there is a risk of SQL injection. I would suggest that you wrap your variables with
sqlite_escape_string before placing them into your query. I note that you might want to look into PDO for database portability and a 'better' layer between your application and the database.You seem to be be using
strpost to ascertain whether a manufacturer was 'All'. I would suggest doing the following:$whereSubClause = array();
/* Firstly identify if we have 'All' as the manufacture -
* if we do, we don't need to add constraints to the query.
*/
if ( 'All' != $manufacturer ){
$mfg = sqlite_escape_string($manufacturer);
$whereSubclause[] = "`Manufacturer` = {$mfg}";
}
if ( 'Any' != $model ){
$model = sqlite_escape_string($model);
$whereSubclause[] = "`Model` = {$model}";
}
if ( 'Any' != $forsale ){
$forSale = sqlite_escape_string($forsale);
$whereSubclause[] = "`ForSale` = {$forSale}";
}
// We can now safely construct the SQL --
// I haven't provided the method for this, but you'd end up with:
$query = "SELECT * FROM `vehicles` WHERE (`Manufacturer` = 'AMG') AND (`Manufacturer` = 'AMG') AND (`ForSale` = '1')"I would then personally output the data into an array, which can then be passed to a view. Using a
foreach loop, I would construct the rows in the table.Code Snippets
$whereSubClause = array();
/* Firstly identify if we have 'All' as the manufacture -
* if we do, we don't need to add constraints to the query.
*/
if ( 'All' != $manufacturer ){
$mfg = sqlite_escape_string($manufacturer);
$whereSubclause[] = "`Manufacturer` = {$mfg}";
}
if ( 'Any' != $model ){
$model = sqlite_escape_string($model);
$whereSubclause[] = "`Model` = {$model}";
}
if ( 'Any' != $forsale ){
$forSale = sqlite_escape_string($forsale);
$whereSubclause[] = "`ForSale` = {$forSale}";
}
// We can now safely construct the SQL --
// I haven't provided the method for this, but you'd end up with:
$query = "SELECT * FROM `vehicles` WHERE (`Manufacturer` = 'AMG') AND (`Manufacturer` = 'AMG') AND (`ForSale` = '1')"Context
StackExchange Code Review Q#28055, answer score: 3
Revisions (0)
No revisions yet.