How do I properly filter results from MySQL using a form?

Question

What is the proper way to filter results? What I have got so far is form where you can input firstname, lastname, phone and rest of stuff. How do I make statement ignore empty input fields instead of searching values which are empty?

I'm using prepared statements and when I filter stuff I use WHERE firstname = ? and lastname = ? and conditions change statement if something is empty. How can I prevent making hundreds of statements with conditions?

$stmt = $this->mysqli->prepare("SELECT * FROM cust");

    if(!empty($firstname) && !empty($lastname)) {
        $stmt = $this->mysqli->prepare("SELECT * FROM cust WHERE as_first = ? AND as_last = ?");
        $stmt->bind_param("ss", $firstname, $lastname);
    } else if(!empty($firstname) && empty($lastname)) {
        $stmt = $this->mysqli->prepare("SELECT * FROM cust WHERE as_first = ?");
        $stmt->bind_param("s", $firstname);
    } else if(empty($firstname) && !empty($lastname)) {
        $stmt = $this->mysqli->prepare("SELECT * FROM cust WHERE as_last = ?");
        $stmt->bind_param("s", $lastname);
    }

Answer 1

Unfortunately you should write your own conditions, like:

$sql = 'SELECT...' // your original query
$sql .= !empty($phone) ? ' phone = :phone';

and binding params manually:

if (!empty($phone)) {
    $stmt->bindParam(':phone', '%'.$phone.'%', PDO::PARAM_STR);
}