I’m working on a fairly big project that allows users of my client’s site to search for people they used to know who might’ve changed their names, primarily due to marriage. Basically, users sign up with all the names they’ve ever used and the data gets entered into a MySQL database. The next step is actually creating the search, which allows users to put in the names they remember someone by.
This is an example registration in the database:
username first0 first1 first2 first3 first4(email) Lisa John Frank Sam SmithRight now, my query looks like this:
SELECT * FROM NAMESWHERE ( `names`.`first0` IN ("Lisa", "Sam", "") AND `names`.`first1` IN ("Lisa", "Sam", "") AND `names`.`first2` IN ("Lisa", "Sam", "") AND `names`.`first3` IN ("Lisa", "Sam", "") AND `names`.`first4` IN ("Lisa", "Sam", "")**Substitute out the exact names there for data entered in the search form.
This query doesn’t work because first2 = Frank, which isn’t included in the list. If a person doesn’t know every name someone entered in the database, everything breaks.
However, I don’t think I want to use OR statements, because I don’t want all the results where a name matches Lisa to be returned if someone puts Lisa as just one of the names.
Does anyone know how I could go about doing this?
Advertisement
Answer
You’re constrained unnecessarily here. Consider instead:
UserUserId, OtherDataUserNamesUserId, Name, KindData like:
UserId, OtherData1, BlahblahUserId, Name, Type1, Lisa, First 1, Jane, Middle1, Smith, Last 1, Leese, First1, Jones, LastLisa Jane Smith, also known as Leese, married and changed name to Lisa Jane Jones
If you present the website user with a “Enter any number of names and indicate their kind” you can then run a query that finds the userids that have all the name kinds mentioned
This can be as simple as dynamically joining, or doing conditional aggregation
Eg if the web user enters “Leese” as firstname and “Jones” as lastname then you can:
SELECT UserID FROM UserNames WHERE (name = 'Leese' AND type = 'First') OR (name = 'Jones' AND type = 'Last')GROUP BY UserID HAVING count(*) = 2 --2 is the number of names entered, leese and jones. If your where clause had 5 names, this would be 5Or you can use a join approach (and this for if the web user enters 3 names/kinds):
SELECT u1.UserID FROM UserNames u1 INNER JOIN Usernames u2 ON u1.UserID = u2.UserID INNER JOIN Usernames u3 ON u1.UserID = u3.UserIDWHERE u1.name = 'Leese' AND u1.type = 'First' AND u2.name = 'Jones' AND u2.type = 'Last' AND u3.name = 'Smith' AND u3.type = 'Last' AND When you go to form your dynamic queries, don’t concatenate the values into SQL. Just because you’re making a query dynamic built is not an excuse to throw parameterization out of the window. You build the SQL by concatenating together the SQL string with parameter placeholders in and then give the parameters values separately
Pseudocode (i don’t know php) in a language that interpolates its strings with {placeholders}:
string fromclause = ""string whereclause = ""for i = 0 to webrequest.form.values.length - 1 string name = webrequest.form.values[i].name string type = webrequest.form.values[i].type if i == 0 then fromclause = fromclause + "Usernames u{i}" else fromclause = fromclause + " INNER JOIN Usernames u{i} ON u1.UserID = u{i}.UserID whereclause = whereclause + " u{i}.Name = @paramName{i} AND u{i}.type = @paramType{i}" sqlcommand.parameters.add("@paramName{i}", name) sqlcommand.parameters.add("@paramType{i}", type)next isqlcommand.commandtext = "SELECT UserID FROM {fromclause} WHERE {whereclause}"You finish up with a sql command that is all parameterized and the parameters are all given values..