SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Guru
    Join Date
    Feb 2006
    Location
    Chepstow, South Wales
    Posts
    906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    (select * from where and) going wrong

    Hi, im trying to do a select * from where and, which isnt going right, can anybody see the problem.

    Cheers

    PHP Code:
    $r=mysql_query("select * from sub_category where ((parent_Category=$_GET['cat']) AND (sub_Active=1)) order by sub_Id DESC"); 

  2. #2
    SitePoint Member
    Join Date
    Feb 2012
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    at least show us your database dude

  3. #3
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    PHP Code:
    // cat is int
    "select * from sub_category where ((parent_Category="$_GET['cat'] .") AND (sub_Active=1)) order by sub_Id DESC" 
    the above will hold true if 'cat' is an integer, if it is a string then you have to add quotes (single quotes in this case) look at the diff very closely


    PHP Code:
    // cat is a string
    "select * from sub_category where ((parent_Category='"$_GET['cat'] ."') AND (sub_Active=1)) order by sub_Id DESC" 
    BTW, using any variable coming straight from the outside, like $_GET. is very dangerous and you should be protecting yourself from sql injection attacks.

    So the above become:

    PHP Code:
    // cat is int
    "select * from sub_category where ((parent_Category=". (int)$_GET['cat'] .") AND (sub_Active=1)) order by sub_Id DESC" 
    That is an example of typecasting a var to an integer ( or 0 if it is not an integer)


    PHP Code:
    // cat is a string
    "select * from sub_category where ((parent_Category='"mysql_real_escape_string($_GET['cat']) ."') AND (sub_Active=1)) order by sub_Id DESC" 
    That is an example of escaping a string for mysql

  4. #4
    SitePoint Guru
    Join Date
    Feb 2006
    Location
    Chepstow, South Wales
    Posts
    906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, what its calling for from the database is correct, I just keep getting a error message, so I was thinking the code was wrong.

    Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in E:

  5. #5
    SitePoint Addict FizixRichard's Avatar
    Join Date
    May 2003
    Location
    UK
    Posts
    372
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Just try this and see what happens:

    PHP Code:
    // Put that $_GET into a variable
    $parentcat $_GET['cat'];

    // Echo it out so that you can see precisely whats in that variable
    echo("Cat: " $parentcat);

    $r mysql_query("select * from sub_category where ((parent_Category='$parentcat') AND (sub_Active='1')) order by sub_Id DESC"); 
    Now, what I've done there, is move that GET into a variable, and we are outputting that variable to the screen so we know exactly whats in there (if there are any characters that could be throwing it up). You obviously wont do that in a production environment, but it can be useful just to test when something has gone wrong, so remove it completely after you know whats up.

    Then using '' around your variables in your query.

    This SQL is NOT secure though, you need to do as cups has said and escape that variable, but put the GET into a variable and escape it from there, NOT directly in the query.


    Edit:
    The reason you want to put it into a variable is because you will want to validate that whatever is put in is what you would expect to be put in, the escape will help prevent against SQL Injection, but there are other things you want to protect against, you should always validate/cleanse incoming variables properly.
    FIZIX - Full Service Digital Agency - Engaging websites, apps and games.
    Follow us @FIZIXAgency

  6. #6
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by multichild View Post
    Hi, what its calling for from the database is correct, I just keep getting a error message, so I was thinking the code was wrong.

    Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in E:
    If the PHP code is wrong, it may not be in that line. Look at the previous lines or errors. Maybe if you post a larger selection of your code, someone could spot an error.
    Each day is a learning experience.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •