SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Sep 2011
    0 Post(s)
    0 Thread(s)

    Struggling with a For Each Loop

    ok so I am having a bit of a dilema - I am trying to build a list of Primary Categories and Secondary categories sitting underneath the relevant Primary.

    - Sandels
    - High Heels
    - Gym Shoes

    It has all gone ok I have built the list of Primary categories (the query for which lives in a controller file else where that calls in the file I am about to show).

    This is the page that the code generates Search although currently has an echo of the query in it.

    #2486457 - Pastie

    My problem is (I think) - that this query does not seem to work.

    $secresult = mysqli_query($link, "SELECT secondarytubes.categoryname FROM secondarytubes INNER JOIN primarytubes ON primaryid = WHERE primaryid = '$primaryCatid' ");

    I personally think it is the $primaryCatid at the end as if I change this to a numerical value to represent an id eg. 1 and run it through my database directly it all works.

    Anyway been on with this almost all day and stuck.

    Help please.

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    West Springfield, Massachusetts
    196 Post(s)
    2 Thread(s)
    If $primaryCatid is numeric, why is it inside quotes?

  3. #3
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    The Netherlands
    153 Post(s)
    2 Thread(s)
    Quote Originally Posted by Mittineague View Post
    If $primaryCatid is numeric, why is it inside quotes?
    That's no problem, you can do that in MySQL. See MySQL :: MySQL 5.5 Reference Manual :: 5.3.1 General Security Guidelines

    A common mistake is to protect only string data values. Remember to check numeric data as well. If an application generates a query such as SELECT * FROM table WHERE ID=234 when a user enters the value 234, the user can enter the value 234 OR 1=1 to cause the application to generate the query SELECT * FROM table WHERE ID=234 OR 1=1. As a result, the server retrieves every row in the table. This exposes every row and causes excessive server load. The simplest way to protect from this type of attack is to use single quotation marks around the numeric constants: SELECT * FROM table WHERE ID='234'. If the user enters extra information, it all becomes part of the string. In a numeric context, MySQL automatically converts this string to a number and strips any trailing nonnumeric characters from it.
    I don't believe it's standard SQL-2003 though.

    Anyway, are you sure $primaryCatid has a value, i.e. have you tried

    PHP Code:
    or similar, and did it show a value? If it shows a value, are you sure there a products there (i.e. have you tried the value 1 which should give results as per your tests)?
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts