Manipulate SQL query depending on the filters applied in PHP?

Question

I have a HTML table that gets populated with values retrieved from the connected database table 'Attendance' on page load with the session UserID of who's logged in.

To adjust this table, I'm using a collection of filters created with <form> and inputs as such:

For Workspace No. it takes all the Workspace number's in the file and lists them as options in the dropdown so they are pre-populated values. The attendance checkboxes correlate to a checkbox with a value of 1 for Present and 0 for Late

So far I have only the filters for ID search and the Workspace No. written out but I'm unsure if this is the way to go as the SQL query will still have the WHERE ... WorkID = ? even if there has been no selection made for Workspace No. rather than being omitted from the query?

$('.apply').click(function () {
      if ($('#idSearch')[0].checkValidity()){ #checks if the form is valid
      $('#idSearch').submit();
    }
    if ($('#chosenWork') != ""){
      $('#WorkIDSearch').submit(); #submits the form to POST the Workspace No.
    }
  });

...

include("config.php");

if (isset($_POST['reqID'])){ #checks if the ID search input field (reqID) has been submitted
  $userid = $_POST['reqID'];
  
} else{                                  
  $userid = $_SESSION['sess_user_id'];
  
}

if (isset($_POST['chosenWork'])){ #checks if the dropdown for Workspace Number (chosenWork) has been selected
  $chosenwork = $_POST['chosenWork'];
  
}

if (isset($_POST['chosenWork']) && isset($_POST['reqID'])){ #checks if both are selected
  $chosenwork = $_POST['chosenWork'];
  $userid = $_POST['reqID'];
  
}


$stmt = $conn->prepare("SELECT Number, ID, Date, Log_Time, WorkID, Att_Type FROM Attendance WHERE ID = ? AND WorkID = ?";
$stmt->bindParam("ii", $userid, $chosenwork);
$stmt->execute();

$result = $stmt->setFetchMode(PDO::FETCH_ASSOC);

My desired output is that any of these filters can be applied independently or combined to adjust the WHERE clause of the SQL query.

Answer 1

It is hard to help debug without more info, but several things I noticed:

1. Looking at the error, it says the problem is either syntax but it could be the result of an old version. Have you checked your sql version? Prepared statements were introduced in v4.1.

2. You haven't shown your html or js validation, but since you are telling sql to expect integers, are you absolutely sure your variables are integers? To be sure, add a 0 to $userid and $chosenwork (e.g. $userid = $userid + 0;) before binding them

3. For security, validating posted form data should be done on the server not client -- it is trivial to circumvent client-side js validation

4. The null coalescing operators in Serghei Leonardo's answer will only work if you are using php7 or higher. Also, I am not familiar with his usage of it so I may be wrong, but it looks to me it will return $userid and $chosenwork if they are set and only bind if isset($userid) or isset($chosenwork) are null (i.e. if $userid or $chosenwork are null), which would be backwards from what you want. See another explanation here. This might not work, but try changing it to:

   (!isset($userid) ?? $stmt->bind_param("i", $userid)); (!isset($chosenwork) ?? $stmt->bind_param("i", $chosenwork));

Answer 2

You can try it this way:

$query = "SELECT Number, ID, Date, Log_Time, WorkID, Att_Type FROM Attendance";
$chosenwork = null;

if (isset($_POST['reqID'])){ #checks if the ID search input field (reqID) has been submitted
  $userid = $_POST['reqID'];
  $query .= " WHERE ID = ?";
  
} else{                                  
  $userid = $_SESSION['sess_user_id'];
  $query .= " WHERE ID = ?";
}

if (isset($_POST['chosenWork'])){ #checks if the dropdown for Workspace Number (chosenWork) has been selected
  $chosenwork = $_POST['chosenWork'];
  $query .= " WorkID = ?";
}

if (isset($_POST['chosenWork']) && isset($_POST['reqID'])){ #checks if both are selected
  $chosenwork = $_POST['chosenWork'];
  $userid = $_POST['reqID'];
  $query = "SELECT Number, ID, Date, Log_Time, WorkID, Att_Type FROM Attendance WHERE ID = ? AND WorkID = ?";
}

$query .= ";";
$stmt = $conn->prepare($query);
(isset($userid)) ?? $stmt->bind_param("i", $userid);
(isset($chosenwork)) ?? $stmt->bind_param("i", $chosenwork);
$stmt->execute();

$result = $stmt->setFetchMode(PDO::FETCH_ASSOC);