Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Simple way to implement an complex search form.

Optimization

Simple way to implement an complex search form.

by shaddow Posted Mar 4, 2004 (Edited May 31, 2008)

I've seen a few time ago somone asking help for an complex search form. I cant remember what post but the search page was to complex to at least be shure that you wont miss something from the search.

I've been using an simple idee for some time and it seems that it works for any amount of search fields.

I'll make this example with 4 parameters.

Code:

database - clients
id        - numeric
name      - varchar(text)
ocupation - varchar(text)
age       - numeric

i'll assume that the search will be after name,ocupation and age with and display order

[color red]
I've received a good sugestion to add some warnings about how vulnerable is this code to "SQL injection attacks". This is true and the code presented here should be used as guideline and should be propper sanitized against SQL injection attacks.
[/color]

search.html
<form action="search.asp" method=post>
Name:<input name="name"><br>
Ocupation:<input name="ocupation"><br>
Age:<input name="age"><br>
Order:<select name="order">
       <option value="">No order
       <option value="name">Name
       <option value="ocupation">Ocupation
       <option value="age">Age
      </select>
</form>

search.asp -  i'll explain only the important code here
<%
'objConn - database connection
'rs      - recordset object
'using Request("fieldname") will solve the post or get paramaters

'getting search variables
name=Request("name")
ocupation=Request("ocupation")
age=Request("age")
order=Request("order")

'initializing query variables
sql_name=""
sql_ocupation=""
sql_age=""
sql_order=""

'setting up the query parts
'if name it's empty it search for every name
if name<>"" then
 sql_name=" AND name like '%"&name&"%'"
end if

'if ocupation it's empty it search for every ocupation
if ocupation<>"" then
 sql_ocupation=" AND ocupation like '%"&ocupation&"%'"
end if

'if age it's empty it search for every age
if age<>"" then
 sql_age=" AND age="&age
end if

if order<>"" then
 sql_order=order
else
 'default order
 sql_order="id"
end if

'building up the main query simple and easy
sql="select * from clients where 1=1 " & sql_name & " " & sql_ocupation & " " & sql_age & " order by " & sql_order

rs.Open sql,objConn,3,3

%>

This should solve all the problems and complications in your search criteria.
The mai trick is using "where 1=1" thing which gives you the liberty to add to each condition easy in your main sql statement.

Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top