You are here:

PHP5/PHP if statements inside a SQL query


Hello, I am having quite a few problems with using an if statement inside a SQL query. I have a search form which basically has three options, to search via patient data (firstname, lastname etc) to search via any medical study they may be on or search via their diagnosis.
Here is the form:
<table border="0" width="100%">
     <tr bgcolor="#c0c0c0">
     <td colspan="2"><h2>Dermatology</h2></td>
     <td bgcolor="#cccccc">
     <table width="75" border="0">
        <tr><td>Add New Patient<td></tr>
        <tr><td>Tissue bank<td></tr>
     <table width="100%" border="0">
        <form method="post" action="search_result.php">
        <tr><td colspan="2"><h3>Search Form</h3></td></tr>
        <tr><td colspan="2"><p>Patient Data</p></td></tr>
        <tr><td><select name="patient_search">
         <option value="firstname">First Name</option>
         <option value="lastname">Last Name</option>
         <input type="text" name="patient_data"></td>


        <tr><td colspan="2"><p>Study</p></td></tr>
        <tr><td><select name="study_search">
         <option value="all"> </option>
         <option value="CP123XZ">Control Procedure XZ</option>
         <option value="study1">Study1</option>

        <tr><td colspan="2"><p>Diagnosis</p></td></tr>
        <tr><td><select name="diag_search">
         <option value="all"> </option>
         <option value="acne">Acne</option>
         <option value="eczema">Eczema</option>
         <option value="psoriasis">Psoriasis</option>
         <td><input type="submit" value="Search">

Here is the PHP code getting this information and trying to pass it into the SQL statement:

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$patient_data = $_POST['patient_data'];
$patient_search = $_POST['patient_search'];
$study_search = $_POST['study_search'];
$diag_search = $_POST['diag_search'];

$query = "SELECT firstname, lastname, age, dob, address, nhs_no, hospital_no, skin_type, ethnicity, gender, consultant_name FROM patient
if(!($patient_data == "")) {  
  WHERE $patient_search = '$patient_data'

if(!($diag_search == "all")) {   
     INNER JOIN diagnosis
     ON patient.patientID = diagnosis.patientID    
     WHERE diagnosis.diagnosis_type = '$diag_search'
if(!($study_search == "all")) {
     INNER JOIN patient_study
     ON patient_study.patientID = patient.patientID
     WHERE patient_study.studyID = '$study_search'
  ORDER BY lastname";
    $result = mysql_query($query)
        or die ("An error occured, please try again");
    $nrows = mysql_num_rows($result);
    echo "<table border='0' width='100%'>
         <tr bgcolor='orange'>
         <td align='center'><P>Firstname </p></td>
     <td align='center'><P>Lastname </p></td>
     <td align='center'><P>DOB </p></td>
     <td align='center'><P>address </p></td>
     <td align='center'><P>NHS No. </p></td>
     <td align='center'><P>Hospital No. </p></td>
     <td align='center'><P>Skin Type </p></td>
     <td align='center'><P>Ethnicity </p></td>
     <td align='center'><P>Gender </p></td>
     <td align='center'><P>Consultant Name </p></td>";
         echo "</tr>";
    for ($i=0;$i<$nrows;$i++)
     $n = $i + 1;
     $row = mysql_fetch_array($result, MYSQL_ASSOC);
        echo "<tr bgcolor='#cccccc'>
         <td align='center'><P>$firstname </P></td>
         <td align='center'><P>$lastname</p></td>
  <td align='center'><P>$dob</p></td>
  <td align='center'><P>$address</p></td>
  <td align='center'><P>$nhs_no</p></td>
  <td align='center'><P>$hospital_no</p></td>
  <td align='center'><P>$skin_type</p></td>
  <td align='center'><P>$ethnicity</p></td>
  <td align='center'><P>$gender</p></td>
  <td align='center'><P>$consultant_name</p></td>
    echo "</table>";


To me, logically this makes sense, but I must be doing something very wrong as I get error messages each time.

Could you please help?


Hi TD,
Your $query is a string variable, so if you want parts of it to be dynamic you'll need to close the string before each if statement and append to it as needed (and if you are not escaping your parameters you'll want to do so before putting them into a sql statement), like this:

$query = "SELECT firstname, lastname, age, dob, address, nhs_no, hospital_no, skin_type, ethnicity, gender, consultant_name FROM patient "; //make sure you keep spaces between each part

if(!($patient_data == "")) {  
 $query.= "WHERE $patient_search = '".addslashes($patient_data)."' ";


Then when you run the query show what the query was and print the error for debugging, like this:

$result = mysql_query($query)
    or die ("Query: $query, error: ".mysql_error());

Then if there is an error you'll see what it is and you can review the generated query to see if it looks right.


All Answers

Answers by Expert:

Ask Experts


Robert Davis


My focus in PHP has been calculations, reporting, database manipulation (MySQL), automated scripting, screen scraping, and tracking systems. A summary of my business is posted at


I've been programming in many languages for over 15 years, but the last several years I've focused on php for websites and perl for data processing. I've posted several tricks I've learned at

I have a bachelors degree and a masters degree, both in electrical engineering from Arizona State University.

©2017 All rights reserved.