Error filtering twice with combobox

Question

Error filtering twice with combobox

Navigation

#1 by (1 votes)

2

I try to filter by race, shift and cycle, with a combobox I get out but when I try to insert another one and also filter the previous one they do not work anymore, I hope they help me.

This is my code:

<form action="busquedaadmin.php" method="post">
  <select name="filtro"><option value="todos">
    <option value="Ingenieria de Sistemas">Ingenieria de Sistemas</option>
    <option value="Contabilidad">Contabilidad</option></select>
  <select name="filtro2"><option value="todos"></option>
    <option value="Manana">Mañana</option>
    <option value="Noche">Noche</option></select>
  <button type="submit">Filtrar</button></form>
<?php
if(isset($_POST['filtro'])){
  $filtro=$_POST['filtro'];
  switch($_POST['filtro']){
    case "todos":
      $sql = "select * from alumnos;";
      break;
    case "Ingenieria de Sistemas":
      $sql = "select * from alumnos WHERE carreraal='$filtro'";
      break;
    case "Contabilidad":
      $sql = "select * from alumnos WHERE carrera='$filtro'";
  }
}
if(isset($_POST['filtro2'])){
  $filtro2=$_POST['filtro2'];
  switch($_POST['filtro2']){
    case "todos":
      $sql = "select * from alumnos;";
      break;
    case "Manana":
      $sql = "select * from alumnos WHERE carreraal='$filtro' AND turnoal='$filtro2'";
      break;
    case "Noche":
      $sql = "select * from alumnos WHERE carreraal='$filtro' AND turnoal='$filtro2'";
      break;
  }
}
else{
  $sql = "select * from alumnos;";
}
$resultado=$mysqli->query($sql);
echo "<center><table><th>Id</th><th>Nombre</th><th>Descripcion</th>   <th>Precio</th><th>Fecha de Registro</th>";
while($row = mysqli_fetch_array($resultado))
{
  echo "<tr><td>{$row['codal']}</td> ".
       "<td>{$row['nombresal']} </td> ".
       "<td>{$row['apellidosal']} </td> ".
       "<td>{$row['carreraal']} </td> ".
       "<td>{$row['cicloal']} </td> ".
       "<td>{$row['turnoal']} </td></tr>";
} 
echo "</table></center>";
?>

mysql php

asked by Cristhian A. Villalobos Cuba 31.12.2016 в 15:29

source

1 answer

How to create a custom event in javascript Accumulate query in variable n times during a while

score 1 · Answer 1

Formatting the code makes the error easier to see. As you are doing now, this is what happens (I know it's going to be something complex):

If the first filter has any value, create the SQL query.

If the second filter has any value, create the SQL query.

If there is no second filter, create the SQL query.

Note how to put "create the query" in all points and does not update or extend, and how I put a separation between points 1 and 2 (if not, applies only to 2, not 1). This is because the query is completely replaced if any of the conditions is fulfilled (or not) . In fact, the SQL query of the first if (point 1) should never run , because when you reach point 2, if the condition is met the SQL query will be replaced in the switch . .. and if it is not met, it will be replaced in else (point 3).

Not only that but there is another fault. If the first filter ( $_POST['filtro'] ) has no value and you pass to the second filter ( $_POST['filtro2'] ), you should receive an error, because you would be using a variable that does not exist ( $filtro ) it is initialized in the first if (where it would not be entered).

And all this without going into what correctly puts Error404 in the comments: this code is vulnerable to SQL injection attacks . Something that, although you seem not to give importance, in my opinion should always be your first priority.

Another fault that there is is that it seems that in the second filter, it does not matter if the shift is morning or afternoon, the SQL query is the same in both cases.

My recommendation would be that if you want to apply the two filters, instead of rewriting the query each time, what you do is to extend the query with each filter. For example (and beware because this code may still suffer from SQL injection problems):

$sql = "SELECT * FROM alumnos WHERE 1=1 ";

if(isset($_POST['filtro'])){
  $filtro=$_POST['filtro'];
  switch($filtro){
    case "Ingenieria de Sistemas":
      $sql = $sql . " AND carreraal='$filtro' ";
      break;
    case "Contabilidad":
      $sql = $sql . " AND carrera='$filtro' ";
  }
}

if(isset($_POST['filtro2'])){
  $filtro2=$_POST['filtro2'];
  switch($filtro2){
    case "Manana":
      $sql = $sql . " AND turnoal='$filtro2'";
      break;
    case "Noche":
      $sql = $sql . " AND turnoal='$filtro2'";
      break;
  }
}