$_GET not working in function?!

Hello,

I’ve been working on this for hours and for some reason cannot get it to work correctly. My site uses Wordpress and I have a page with a parameter - /page/?myvar=1

I’m grabbing the parameter by using

 $myvar = $_GET["myvar'']

All I want to do is select from my database where user = ‘$myvar’ - but it will not work!

Here is the main part of my code

function wpsl_store_search() {

global $wpdb; 

           $myvar = $_GET['myvar'];

$options       = get_option( 'wpsl_settings' );
$distance_unit = ( $options['distance_unit'] == 'km' ) ? '6371' : '3959'; 

/* Check if we need to include the distance and radius limit in the sql query. 
 * If autoload is enabled we load all stores, so no limits required. 
 */
if ( isset( $_GET['autoload'] ) && ( $_GET['autoload'] == 1 ) ) {
    $sql_part = ' ORDER BY distance';
    $placeholders = array(
         $_GET["lat"], 
         $_GET["lng"], 
         $_GET["lat"]
     );

} else {
    $max_results = ( isset( $_GET['max_results'] ) ) ? $_GET['max_results'] : '';

    if ( ( $max_results == 'NaN' ) || ( !$max_results ) ) {
        $max_results = get_default_list_value( $type = 'max_results' );   
    }
            
    $sql_part = ' HAVING distance < %d ORDER BY distance LIMIT 0, %d';
    $placeholders = array(
        $_GET["lat"], 
        $_GET["lng"], 
        $_GET["lat"],
        $_GET["radius"], 
        $max_results
    );  
}
    
   
    
$result = $wpdb->get_results( 
                $wpdb->prepare( "
                                SELECT *, ( $distance_unit * acos( cos( radians( %s ) ) * cos( radians( lat ) ) * cos( radians( lng ) - radians( %s ) ) + sin( radians( %s ) ) * sin( radians( lat ) ) ) ) 
                                AS distance FROM $wpdb->wpsl_stores WHERE active = 1 && user = '$myvar'
                                $sql_part
                                ",
                                $placeholders
                ) 
            );

I’m sure there is an easy way of doing this, but nothing is working for me! Help please?!

Try outputting the whole $GET value. If myvar isn’t in the collection, then I suspect that your “?myvar=1” might be overwritten on form submit via GET. (Assuming that the form is method="GET", that is.)

V/r,

:slight_smile:

No semicolon ; and incorrect quotes being used might be part of the problem to.

Thank you for your post!

Nothing is outputted. There is no form, it’s on page load.

Sorry, not too sure why I did that! It isn’t written like that in the code.

Out of curiousity, why put $myvar into the SQL string, when you’re binding all the other strings? Stick it into $pllaceholders with all your other variables and use another parameter replacement.

If you do

var_dump($_GET);

do you get what you’re expecting to find?

Sorry for such a delay in responding. I’ve still not fixed this problem.

The problem seems to be because The SQL query uses a prepared statement, so you can’t just add the user = $myvar in the query.

What I need to do is set a placeholder like %s, and then include the $myvar value in the placeholder array.

But nothing seems to be working correctly, still…

I figured doing something like this would work?

} else {
    $max_results = ( isset( $_GET['max_results'] ) ) ? $_GET['max_results'] : '';
    if ( ( $max_results == 'NaN' ) || ( !$max_results ) ) {
        $max_results = get_default_list_value( $type = 'max_results' );
    }
            $myvar = $_GET['myvar'];

    $sql_part = ' WHERE user = %s HAVING distance < %d ORDER BY distance LIMIT 0, %d';
    $placeholders = array(
        $myvar,
        $_GET["lat"],
        $_GET["lng"],
        $_GET["lat"],
        $_GET["radius"],
        $max_results
    );  

}

$result = $wpdb->get_results(
                $wpdb->prepare( "
                                SELECT *, ( $distance_unit * acos( cos( radians( %s ) ) * cos( radians( lat ) ) * cos( radians( lng ) - radians( %s ) ) + sin( radians( %s ) ) * sin( radians( lat ) ) ) )
                                AS distance FROM $wpdb->wpsl_stores
                                $sql_part
                                ",
                                $placeholders  

                  )
              );

But it doesn’t work. Any help guys would be highly appreciated.

Well you’ve done that, but you’ve put it in the first spot of the array.

prepare has no concept of ‘what goes where’… so if it takes your parameters array, and just starts lining things up… where does $myvar end up? For that matter, where does $_GET['radius'] go? $max_results?

Thanks for responding StarLion.

To be honest, I’m fairly new to PHP programming. Therefore I’m not sure where they actually end up. I’m trying to modify a plugin, and trying to understand how everything works inside the plugin and it’s pretty difficult.

So… in essence, Every %s will be replaced by an item from your array - in order.

So…

This is why $_GET[‘lat’] appears twice in the array - the string is expecting it to go in twice.

"
SELECT *, ( $distance_unit * acos( cos( radians( %s ) ) * cos( radians( lat ) ) * cos( radians( lng ) - radians( %s ) ) + sin( radians( %s ) ) * sin( radians( lat ) ) ) )
AS distance FROM $wpdb->wpsl_stores
WHERE user = %s HAVING distance < %d ORDER BY distance LIMIT 0, %d’;

(because, for whatever reason, the plugin makers decided to put $sql_part seperately. Go figure)

%d means it’s expecting a decimal number.

Based on that explanation, try and rearrange your placeholders array so that the correct things go in the correct spots.

Wow, thank you very much! It’s working :grinning:

You also need to validate the $_GET variables and move them to different fields long before the values get as far as the database call.

If you don’t then you will get garbage in the fields

for example:

/page/?lat=ontime&lng=short&rad=normal&myvar=never

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.