I currently have a Google map that outputs markers for values from my database. The query that currently does this in my php script is:
SELECT DISTINCT gps_lat, gps_long, quality
FROM V6_HOLLTS479_20101015_subset.dbo.rvresults_tie_parent
WHERE quality=1
Basically I need to add buttons (for example button for “quality 1”, “quality 2”, “quality 3”, “quality 4” etc) on the page. When clicking on the button it changed the query to “WHERE quality=3” for example.
I’ve been looking at different way into how to do this and I think a switch statement would do the job, but I’m not sure how it would look and how to implement it in this situation. Could anyone provide some example code or advice on how to do this?
I hope this makes sense… Any help would be greatly appreciated!
Click a html link like that above and pick it up and action it like this:
map.php
//$_GET['quality'] = 'afasdfa'; // example of bad incoming data
$_GET['quality'] = 2; // example of acceptable incoming data
$quality = 1; // set a default value
$max = 5;
if( isset($_GET['quality'])
&& (int)$_GET['quality'] > 0
&& (int)$_GET['quality'] <=$max){
$quality = $_GET['quality']; // must be a positive int between 1 and 5
}
// else default value is being used
$qry = 'SELECT DISTINCT gps_lat, gps_long, quality
FROM V6_HOLLTS479_20101015_subset.dbo.rvresults_tie_parent
WHERE quality=' . $quality;
// prove it works in different situations
echo $qry;
I showed how to use (int) to typeset the incoming value to an integer, if it encounters a string ‘badhax’ it turns it into a 0.
Will return 1 unless incoming var is a number between 1 and $max.
Play around with the values in your browser address bar to test it.
Thank you for your response cups! I did look at using a get statement but not so keen on the user being able to inject information into the URL… I decided to the buttons like this…
After submit use the following code to process the form:
<?php
if (!empty($_POST)) {
switch ($_POST['quality_button']) {
case 'Quality 1':
// Update your SQL query
break;
case 'Quality 2':
// Update your SQL query
break;
case 'Quality 3':
// Update your SQL query
break;
default:
// If non matched do something else here or do nothing.
break;
}
}
?>
This method looks messier but it seems to work fine…
Hi, Got bad news I am afraid, people will be able to inject code into your POST forms just as easily - so put that reason out of your mind (I remember thinking the same as you).
You could just as easily edit my code to take POST values, your question seemed so general I thought GET would be easier for you to test out.
Glad you found yourself a solution, but in terms of maintainability I prefer mine. but arguably for readability yours is nicer.
There are probably other ways of doing the same thing.
Cannot see the point of all this extra typing in your form and in your postback PHP handler though.
I’m, as usual, with Cups on this. Less typing, means less to go wrong.
Also, take a look at PHP’s filter extension.
<?php
error_reporting(-1);
ini_set('display_errors', true);
function quality(){
/*
Returns the 'quality' param from either $_GET or $_POST
or 0 (zero).
*/
return (int)filter_input(INPUT_GET | INPUT_POST, 'quality', FILTER_SANITIZE_NUMBER_INT);
}
but arguably for readability yours is nicer.