编写搜索过滤器-是在SQL级别还是在PHP级别进行过滤?
[英]Writing a search filter — filter at the SQL level or PHP level?
问题描述
I have an ajax filter on a search page that filters teacher results based on a set of criteria that can be manipulated by the user. 
我在搜索页面上有一个ajax过滤器,该过滤器根据一组可由用户操纵的条件过滤教师成绩。 I'm trying to decide whether to 我正在尝试决定是否
1) first go get all the teachers data, then in PHP make a new array of just those teachers who aren't affected by the negative filters 1)首先获取所有教师数据,然后在PHP中创建一个新数组,其中包含不受否定过滤器影响的那些教师
or 要么
2) build an sql query with a number of WHERE clauses, ie 'WHERE pay = $pay && city = $city && distance < $distance". 2)用多个WHERE子句构建一个SQL查询,即“ WHERE pay = $ pay && city = $ city && distance <$ distance”。
Part of me thinks that number 2 might be a better option, but I'm already unsure of how to fill the query's variable values when the user hasn't specified a certain filter. 我的一部分认为,数字2可能是更好的选择,但是我已经不确定在用户未指定特定过滤器时如何填充查询的变量值。 So, for example, if $pay is undefined, the query will fail. 因此,例如,如果未定义$ pay,则查询将失败。 in this case, what I would like to do is query teachers regardless of their pay. 在这种情况下,我想做的就是查询老师,而不管他们的薪水如何。
3 个解决方案
解决方案1
0 2013-12-25 01:09:10
For the SQL approach, you should build your query based on whether or not the inputs are empty 对于SQL方法,应基于输入是否为空来构建查询。
Something like 就像是
$sql = 'SELECT * FROM Teachers';
$filter = array();
if (!empty($pay)) $filter[] = 'pay = "'.$pay.'"';
if (!empty($city)) $filter[] = 'city = "'.$city.'"';
if (!empty($city)) $filter[] = 'distance < "'.$distance.'"';
if (!empty($filter)) {
$and = ' WHERE';
foreach ($filter as $f) {
$sql .= $and.' '.$f;
$and = ' AND';
}
}
Mind you, you should be concerned about SQL injection since this is just a simple demonstration. 请注意,您应该担心SQL注入,因为这只是一个简单的演示。
解决方案2
0 2013-12-25 01:10:01
If you don't have a lot of teachers in the database you can fetch all of them and handle it in PHP as you suggested. 如果数据库中没有很多老师,则可以按照他们的建议获取所有老师并在PHP中进行处理。
If you don't want to fetch a lot of data you can go with the second option. 如果您不想获取大量数据,则可以选择第二种方法。 In that case you might want to build a dynamic query. 在这种情况下,您可能要构建一个动态查询。
for example: 例如:
$payCond = "";
...
if (isset($pay) && $pay != ""){
if ($payCond != ""){
$payCond .= "And ";
}
$payCond = "pay=" . intval($pay);
}
解决方案3
0 2013-12-25 01:15:05
Query as close to the database as possible. 查询尽可能靠近数据库。 That said, you can use vacuous expressions to simplify code: 也就是说,您可以使用vacuumus表达式来简化代码:
$payExpr = (isset($_REQUEST['pay']) ? 'pay='.$_REQUEST['pay'] : '1=1');
$query = "select * from Foo where $payExpr";
The secret sauce here is using '1=1' when pay not given. 没有支付时,这里的秘诀就是使用“ 1 = 1”。 However, there is still more you need to do that I'm skipping in this quick example, like avoiding sql injection with bound parameters. 但是,在此快速示例中,我还需要跳过更多操作,例如避免使用绑定参数进行sql注入。 Caveat emptor: I havent compiled this code, as I am pecking on a tablet! 请注意:当我在平板电脑上啄食时,我尚未编译此代码!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.