$sql = "SELECT * FROM ".$dbTable3." WHERE ";
//+ is interpreted as a space
//$check = $_GET["checkresult0"]." ".$_GET["checkresult1"];
$check1 = isset($_GET["checkresult0"]) ? $_GET["checkresult0"] : "";
$check2 = isset($_GET["checkresult1"]) ? $_GET["checkresult1"] : "";
$check=$check1." ".$check2;
$checkresult=explode(" ", $check);
/*
for($i=0; $i<count($checkresult); $i++){
$sql .= "id=".$checkresult[$i];
if($i<count($checkresult)-1){
$sql .= " OR ";
}
}
*/
$sql .= "id=";
$sql .= implode(" OR id=", $checkresult);
echo $sql;
The result shows an extra " OR id=" and gives error.
WHERE id=1 OR id=2 OR id=3 OR id=4 OR id=5 OR id=6 OR id=7 OR id=8 OR id=9 OR id=10 OR id=11 OR id=12 OR id=13 OR id=14 OR id=15 OR id=16 OR id=17 OR id=18 OR id=19 OR id=20 OR id=21 OR id=22 OR id=23 OR id=24 OR id=25 OR id=26 OR id=27 OR id=28 OR id=29 OR id=30 OR id=31 OR id=Error
maybe because the last $checkresult=explode(" ", $check); has a space and shows empty.
If I var_dump it:
No, not everything, just the stuff that is supposed to be an integer.
(int)$_GET[‘comments’] wouldn’t make sense, because comments are meant to be a string of text, so converting it to zero makes no sense. You’d use [fphp]mysql_real_escape_string[/fphp] for that, before using in a query.
(int)$_GET[‘id0’] probably DOES make sense, if that value is only allowed to be a number.
Setting the ID type variables to an empty string will also break your query if it ends up looking like this: