php - Creating Sql statements based on input from querystring -

i dynamically create sql statements execution based on url. them this:

url (using htaccess): `http://www.example.com/us/california/sanjose`  translates to: `http://www.example.com/index.php?country=us&state=california&sub=sanjose`  then, in script do: $sql = 'select * table where';  if(isset($_get['country'])){ $sql .= ' country='.$_get['country'];   } else { $sql .= ' country=us';   }  if(isset($_get['state'])){ $sql .= ' , state='.$_get['state'];   }  if(isset($_get['sub'])){ $sql .= ' , sub='.$_get['sub'];   }  //pdo execute $sql 

this how it. there better, cleaner way this? create sql statements on fly based on url? how this?

besides being vulnerable sql injections, there nothing wrong how going doing this.

to prevent sql injections, use prepared statements:

 $stmt = $dbh->prepare("insert registry (name, value) values (:name, :value)");  $stmt->bindparam(':name', $name);  $stmt->bindparam(':value', $value); 

specifically, 'bindparam' method prevents sql injection escaping value in query.

http://php.net/manual/en/pdo.prepared-statements.php