php - Search Database for strings -

php - Search Database for strings -

am going right way? i've got 4 input areas revolve around filtering db search , little confused how correctly. i've got:

$e_s=mysql_real_escape_string($_post['var_specs']); $ven=mysql_real_escape_string($_post['vender']); $xtp=mysql_real_escape_string($_post['xtype']); $sar=mysql_real_escape_string($_post['sarea']); if(strlen($e_s) > 1){ if ($e_s && $area=="vars"){ $areasearch = "db_vars"; $typeresults = "vars"; $typeurl = "vars"; $search = $e_s; } // if vender if($ven=="all" || $ven==""){ $vender_search="%"; } else { $vender_search="%".$ven."%"; } // if type if($xtp=="all"){ $xtype_search="%"; } else { $xtype_search="%".$xtp."%"; } // if area if($sar=="all"){ $sarea_search="%"; } else { $sarea_search="%".$sar."%"; } // run query $result = mysql_query("select * ".$areasearch." name '%".$search."%' , vender ".$vender_search." , xtype ".$xtype_search." , sarea ".$sarea_search); }

a improve method this:

$parameters = array(); if($ven != "all" && $ven != "") { $parameters[] = "vender '%" . mysql_real_escape_string($ven) . "%'"; } if ($xtp ...) { $parameters[] = ... } if ($sar ...) { etc... if (count($parameters > 0) { $where_clause = implode(' , ', $parameters); $sql = "select * ... $where_clause"; $result = mysql_query($sql) or die(mysql_error()); ... } else { die("no search parameters entered"); }

note phone call mysql_real_escape_string() above. escape sql metacharacters in user-provided text , prevent sql injection attacks. never ever straight insert user-provided info database query, if you're person who'd ever utilize system.

php mysql