A bunch of points -
- You cannot concatenate onto the result of a prepare() call. You need to build the sql query statement in a php variable, then when you are done doing that, you would call prepare()
- List out the columns you are SELECTing.
- If you have static/always values, such as the published = ‘Y’, put them directly into the query.
- Each term to be AND’ed should be added as an entry to an array. You can then implode the array using the ’ AND ’ string to build that part of the sql statement.
- Since you are using a MySql (or similar) database, use FIND_IN_SET() rather than an IN() comparison. You can use a single prepare query place-holder with FIND_IN_SET().
- Since you have a price_from and a price_upto and you are using isset() to test which one(s) were submitted, that implies you can have any combination of them. Write code for a separate term for each of them, using an explicate >= or <= operator.
- You cannot supply column names via prepared query place-holders. For the ORDR BY… term, you must validate that the inputs are exactly and only permitted choices before putting them into the sql query statement.
- If you switch to the much simpler and more consistent PDO extension, for each term you add to the query, you would simple add the corresponding values to an array, then just supply this array as a call-time parameter to the ->execute(…) call. This will work correctly even if there are no terms being added to the query.
- If you continue using the mysqli extension, you would build both a string of the type(s) and an array of the input values. When you get to the point of calling bind_param(), you would use php’s … splat operator https://www.php.net/manual/en/migration56.new-features.php to supply the array of values to the bind_param() call. Also, with the mysqli extension, you would need to test if there are any dynamic terms being added to the query and just use the ->query() method if there are none.