After some planning and evaluation, I came to the following solution:
The query itself will be contained in a single big <textarea> and look something like this:
Okay, that's a more complicated example but you'll get the idea:
Code: Select all
All search criteria will be of the form FIELD COMPARE VALUE
Where FIELD is any valid card property field. COMPARE can be any comparison symbol of (=<>) and VALUE can either be a string, a number or a range. Ranges are written in the form of a-b.
A comma translates to AND and a semicolon translates to OR. Braces are used to group several criteria together. A colon is used as a delimiter for global settings for the query like sorting criteria and display criteria (LIMIT).
Of course I do not require the user to enter this query directly into the form. There will be further controls that help the user to construct the query.
To ensure a high level of security, the input is parsed and checked by PHP and transformed into MySQL. The input scheme is relatively simple so that I don't think it will be easy to inject bad code.
Comments are appreciated.