How to create a WHERE clause for PDO dynamically

Create the query dynamically
Create a static query with all conditions at once
Comments (8)

This is quite a common task when we need to create a search query based on the arbitrary number of parameters.

The main problem here is that we cannot create a query beforehand (well, actually we can and it will be shown later) and therefore we don't know which parameters to bind.

Create the query dynamically

PDO doesn't have a functionality for this out of the box, but it can ease the task significantly, thanks again to its ability to bind the arbitrary number of parameters in the form of array passed to execute(). So we can use a conditional statement which will add a condition to the query and also a parameter to bind:

// always initialize a variable before use!
$conditions = [];
$parameters = [];

// conditional statements
if (!empty($_GET['name']))
{
    // here we are using LIKE with wildcard search
    // use it ONLY if really need it
    $conditions[] = 'name LIKE ?';
    $parameters[] = '%'.$_GET['name']."%";
}

if (!empty($_GET['sex']))
{
    // here we are using equality
    $conditions[] = 'sex = ?';
    $parameters[] = $_GET['sex'];
}

if (!empty($_GET['car']))
{

    // here we are using not equality
    $conditions[] = 'car != ?';
    $parameters[] = $_GET['car'];
}

if (!empty($_GET['date_start']) && $_GET['date_end'])
{

    // BETWEEN
    $conditions[] = 'date BETWEEN ? AND ?';
    $parameters[] = $_GET['date_start'];
    $parameters[] = $_GET['date_end'];
}

// the main query
$sql = "SELECT * FROM users";

// a smart code to add all conditions, if any
if ($conditions)
{
    $sql .= " WHERE ".implode(" AND ", $conditions);
}

// the usual prepare/execute/fetch routine
$stmt = $pdo->prepare($sql);
$stmt->execute($parameters);
$data = $stmt->fetchAll();

Create a static query with all conditions at once

We can actually use a conditional statement right in the query. A condition like (name = :name or :name is null) will return true if either the value matches the field's contents or if the value is null. It means that if we want the query to bypass a condition, we just have to pass null for the value. ong story short, here it goes:

$parameters['name'] = !empty($_GET['name']) ? "%".$_GET['name']."%" : null;
$parameters['sex']  = !empty($_GET['sex'])  ? $_GET['sex']  : null;
$parameters['car']  = !empty($_GET['car'])  ? $_GET['car']  : null;

$sql = "SELECT * FROM users 
WHERE (name LIKE :name or :name is null)
AND   (sex  = :sex  or :sex  is null)
AND   (car  != :car  or :car  is null)";

$stmt = $pdo->prepare($sql);
$stmt->execute($parameters);
$data = $stmt->fetchAll();

The only drawback here is that this code will work only if emulation is turned off. So, to make it universal, we have to make it a little bit more verbose

$param['name'] = $param['name1'] = !empty($_GET['name']) ? "%".$_GET['name']."%" : null;
$param['sex'] = $param['sex1']  = !empty($_GET['sex'])  ? $_GET['sex']  : null;
$param['car'] = $param['car1']  = !empty($_GET['car'])  ? $_GET['car']  : null;

$sql = "SELECT * FROM users 
WHERE (name LIKE :name or :name1 is null)
AND   (sex  = :sex  or :sex1  is null)
AND   (car  != :car  or :car1  is null)";

$stmt = $pdo->prepare($sql);
$stmt->execute($param);
$data = $stmt->fetchAll();

Latest comments:

02.04.24 23:57
Pablo for How to call stored procedures with mysqli:
Muchas gracias por el aporte, esta instruccion es la que me faltaba ($mysqli->next_results(); no...
read more
27.03.24 11:10
Grespin for How to run a SELECT query using Mysqli:
Its not working and im going insane
read more
26.03.24 10:45
Hello world for Articles:
to mark a block of code add four spaces before each line and empty lines before and after
read more
05.03.24 15:35
Anders Blume for (The only proper) PDO tutorial:
I have this code that works perfectly in Sequel Pro for Mac. SET @a = 202401; UPDATE...
read more
01.03.24 04:03
Rick Pizzi for How to run an INSERT query using Mysqli:
I'm trying to create a workable INSERT query but am having trouble with NULL as an input...
read more

Comments:

Ezeribe Adolf, 12.05.22 19:38

Dear sir, This beautiful solution is great for a known and expected Query String. Could you please advise what modification to make to this solution when the Query String is a "Search String of multiple words" of perhaps many words?
Neil, 30.06.21 01:38

Hello. I sent in a question earlier but I do not see it on the comments list below so I'm assuming it did not get you. If it did, please excuse the second attempt. In essence, up until this page (How to create a WHERE clause for PDO dynamically) I have been able to follow your brilliant solutions and extremely well put together examples. However, on this page I am stymied because I do not know what is expected in the parameters area to allow me to enter multiple conditions. In this application I may need to have as many as 10 separate conditions separated by the or operator ( || ). Could you please provide a little extra detail in this area? Thank you for your help.
Martin Kagume, 08.04.20 21:52

Just realised this is for PDO.Mind sharing a mysqli dynamic paramter prepared statement example

Reply:
Hello Martin!

It's already there: https://phpdelusions.net/mysqli_examples/search_filter

Felver Yepez, 29.05.19 09:06

PDO SELECT WITH INNER JOINS not working as it should:

IF I run the query in PhpMySQL it works perfectly but when I try it on my PHP it gave me all the possible combinations.

Here is my code

$config = include("../db/config.php");
$db = new PDO($config["db"], $config["username"], $config["password"]);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT DISTINCT tbl_seasons.season_id, tbl_seasons.season_description, tbl_divisions.division_id, tbl_divisions.division_description
        FROM tbl_casl
        INNER JOIN tbl_seasons ON tbl_casl.casl_seasonid = tbl_seasons.season_id
        INNER JOIN tbl_divisions ON tbl_casl.casl_divisionid = tbl_divisions.division_id
        INNER JOIN tbl_teams ON tbl_casl.casl_teamid = tbl_teams.team_id WHERE tbl_seasons.season_status=1 AND tbl_divisions.division_status=1";
$q = $db->prepare($sql);

$q->execute();
$result = $q->fetchAll(PDO::FETCH_ASSOC);

It should give me only 3 rows, but is returning all the possible combinations (6 results in total).

I am lost.. new to this PDO :-)

Ilmari, 24.08.18 19:45

Am I making some kind of stupid mistake here? Because in your last example, there seems to be that annoying PDO problem that the same parameter can't be used twice in the query.

PS. Your site seems to be using some kind of legacy text encoding but doesn't declare it
sid, 06.01.18 12:41

The dynamic where clause stuff looks interesting. What is the performance impact of this solution?

I understand that if we use prepared statements, it is pre-complied and so much faster and saves against SQL injection too. Do we miss on these benefits dynamic WHERE clause based approach on PDO?
Reply:
Hello Sid!

There are two things to note:
1. The performance benefit of prepared statements is often overestimated. First off, 9999 out of 10000 prepared queries are executed only once, and there is no benefit at all. And even for the multiple executed queries the benefit is not that impressive, hardly exceeds 5%.
2. That said, although we are constructing the query dynamically, in the end it becomes the same prepared query as one you write statically and so there is absolutely no difference in any way, including performance.
Hope it's clear now!
Lucas Krupinski, 29.08.17 14:45

Yes, I usually bind parameters within execute(), (per your MyPDO wrapper). In the example I had on reddit, I was converting the user input to integers as a validation step, but if they passed validation, there wouldn't be a need to send them to the query recast as integers.

That was part of the reason for the separate "bindParams", but the bigger reason was I simply didn't dawn on me that I could build the execute array dynamically like you did.

I normally pass in parameters through execute (by using your MyPDO wrapper with a little bit of an extension added on), but i didn't think to add my parameters that way. Again, much cleaner code, one day I hope be there!
Lucas Krupinski, 28.08.17 14:21

Definitely much cleaner code than what I had put together! I will refactor today Thank you for writing this! The implode was the big thing I overlooked and adds simplicity.

Reply:
Hello Lucas.

I am glad to help! Sorry for the delayed answer. Note that beside explode it's also execute() that makes it real neat, taking off another set of conditions with binding.

02.04.24 23:57
Pablo for How to call stored procedures with mysqli:
Muchas gracias por el aporte, esta instruccion es la que me faltaba ($mysqli->next_results(); no...
read more

27.03.24 11:10
Grespin for How to run a SELECT query using Mysqli:
Its not working and im going insane
read more

26.03.24 10:45
Hello world for Articles:
to mark a block of code add four spaces before each line and empty lines before and after
read more

05.03.24 15:35
Anders Blume for (The only proper) PDO tutorial:
I have this code that works perfectly in Sequel Pro for Mac. SET @a = 202401; UPDATE...
read more

01.03.24 04:03
Rick Pizzi for How to run an INSERT query using Mysqli:
I'm trying to create a workable INSERT query but am having trouble with NULL as an input...
read more