Imploding "OR id="

$sql = "SELECT * FROM ".$dbTable3." WHERE ";
//+ is interpreted as a space
//$check = $_GET["checkresult0"]." ".$_GET["checkresult1"];
$check1 = isset($_GET["checkresult0"]) ? $_GET["checkresult0"] : "";
$check2 = isset($_GET["checkresult1"]) ? $_GET["checkresult1"] : "";
$check=$check1." ".$check2;
$checkresult=explode(" ", $check);
/*
for($i=0; $i<count($checkresult); $i++){
	$sql .= "id=".$checkresult[$i];
	if($i<count($checkresult)-1){
		$sql .= " OR ";
	}
}
*/

	$sql .= "id=";
	$sql .= implode(" OR id=", $checkresult);

echo $sql;

The result shows an extra " OR id=" and gives error.

WHERE id=1 OR id=2 OR id=3 OR id=4 OR id=5 OR id=6 OR id=7 OR id=8 OR id=9 OR id=10 OR id=11 OR id=12 OR id=13 OR id=14 OR id=15 OR id=16 OR id=17 OR id=18 OR id=19 OR id=20 OR id=21 OR id=22 OR id=23 OR id=24 OR id=25 OR id=26 OR id=27 OR id=28 OR id=29 OR id=30 OR id=31 OR id=Error

maybe because the last $checkresult=explode(" ", $check); has a space and shows empty.
If I var_dump it:

array(32) { [0]=> string(1) “1” [1]=> string(1) “2” [2]=> string(1) “3” [3]=> string(1) “4” [4]=> string(1) “5” [5]=> string(1) “6” [6]=> string(1) “7” [7]=> string(1) “8” [8]=> string(1) “9” [9]=> string(2) “10” [10]=> string(2) “11” [11]=> string(2) “12” [12]=> string(2) “13” [13]=> string(2) “14” [14]=> string(2) “15” [15]=> string(2) “16” [16]=> string(2) “17” [17]=> string(2) “18” [18]=> string(2) “19” [19]=> string(2) “20” [20]=> string(2) “21” [21]=> string(2) “22” [22]=> string(2) “23” [23]=> string(2) “24” [24]=> string(2) “25” [25]=> string(2) “26” [26]=> string(2) “27” [27]=> string(2) “28” [28]=> string(2) “29” [29]=> string(2) “30” [30]=> string(2) “31” [31]=> string(0) “” }

Hi,

Try doing this:

$check = trim($check1." ".$check2);

This should remove the extra white space

PS. You might want to sanitize those inputs as they can lead to SQL injection.

thanks!

how?

Here’s an idea—instead of a thousand OR id= clauses use an IN statement


SELECT * FROM table WHERE id IN (3,4,7,19,21,23,50)

Then you can just implode(‘,’);

As for SQL injection, these are all supposed to by numbers so cast to int.


$check1 = (int)$_GET['checkresult0'];

Can you explain this further?

It forces the variable to be an integer. A non-numeric value will become 0.


(int)5;      //integer 5
(int)"6";    //integer 6
(int)'hello'; //integer 0

So there’s no chance of the value containing SQL injection material if it becomes 0.

So everything that comes out of the $_GET[“”] or $_POST[“”] has to be accompanied with (int)?
How about:

$comments=isset($_GET["comments"]) ? $_GET["comments"] : "";
$uname=isset($_GET["username"]) ? $_GET["username"] : "";
$id0=isset($_GET["checkresult0"]) ? $_GET["checkresult0"] : "";
$bookTitle0=isset($_GET["comments"]) ? $_GET["comments"] : "";
$book0=isset($_GET["bookTitle0"]) ? $_GET["bookTitle0"] : "";
$chapter0=isset($_GET["chapter0"]) ? $_GET["chapter0"] : "";
$verse0=isset($_GET["verse0"]) ? $_GET["verse0"] : "";
$id1=isset($_GET["checkresult1"]) ? $_GET["checkresult1"] : "";
$bookTitle1=isset($_GET["bookTitle1"]) ? $_GET["bookTitle1"] : "";
$book1=isset($_GET["book1"]) ? $_GET["book1"] : "";
$chapter1=isset($_GET["chapter1"]) ? $_GET["chapter1"] : "";
$verse1=isset($_GET["verse1"]) ? $_GET["verse1"] : "";

No, not everything, just the stuff that is supposed to be an integer.

(int)$_GET[‘comments’] wouldn’t make sense, because comments are meant to be a string of text, so converting it to zero makes no sense. You’d use [fphp]mysql_real_escape_string[/fphp] for that, before using in a query.

(int)$_GET[‘id0’] probably DOES make sense, if that value is only allowed to be a number.

Setting the ID type variables to an empty string will also break your query if it ends up looking like this:


SELECT * FROM table WHERE id =