Query Help

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
CFROG
Forum Newbie
Posts: 4
Joined: Sat Oct 03, 2009 12:54 am

Query Help

Post by CFROG »

The following code keeps giving me the error for unknown column in where clause. The problem is that it's not a column at all, it's an array. Can't figure out why it's giving me that error. I think I may not be using the array properly, just not sure how to fix it. Here is the problem query.

Code: Select all

$lk_for = array(" ".$_GET['lf2']." ".$_GET['lf3']." ".$_GET['lf4']." ".$_GET['lf5']." ".$_GET['lf6']." ".$_GET['lf7']." ".$_GET['lf8']."");
$looking_for = implode(",", $lk_for);
 
$pag="SELECT u.*, up.* FROM users AS u INNER JOIN user_profile AS up ON u.id = up.user_id WHERE u.zip IN ({$zcodes}) AND  u.gender='$gender' AND u.age BETWEEN '$min_age' and '$max_age' AND up.lf1 OR up.lf2 OR up.lf3 OR up.lf4 OR up.lf5 OR up.lf6 OR up.lf7 IN ({$looking_for})";
{$looking_for} is what's giving me a problem.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Query Help

Post by requinix »

If all those $_GET["lfX"]s are supposed to be strings then they're missing quotes in the query.

And for heaven's sake, protect yourself from SQL injection.
CFROG
Forum Newbie
Posts: 4
Joined: Sat Oct 03, 2009 12:54 am

Re: Query Help

Post by CFROG »

How do you mean it's missing the quotes in the query? Do you mean it should look like ('$looking_for')? If so, It gives me the same error.

I'm pretty bad about not escaping my input all of the time. I assumed that if the user had no control over the input that there was no real need to. For example choosing items from a drop down menu.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Query Help

Post by jackpf »

What's the error?

And no - what makes you so sure that the user is selecting from a drop down box?
CFROG
Forum Newbie
Posts: 4
Joined: Sat Oct 03, 2009 12:54 am

Re: Query Help

Post by CFROG »

The error is "Unknown column 'example' in where clause. I'm thinking it's a problem with the array because if I load more than one value into the array I get a syntax error. If the array is holding 'example1' and 'example2' it will say the syntax error is near 'exampl2'.

Unless they alter the URL and resubmit the page I would think the only place user input could come from is the form I'm sending it from.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Query Help

Post by jackpf »

Probably because you need quotes - it's being interpreted as a table name.

And what's to stop the user using javascript to make it into a text input? Or rewriting the page? Or even writing a program to submit its own HTTP request to your process page?
CFROG
Forum Newbie
Posts: 4
Joined: Sat Oct 03, 2009 12:54 am

Re: Query Help

Post by CFROG »

Where do I need the quotes? $zcodes is an array and I have no issues with that.

I suppose nothing is stopping them from doing those things, heck, I didn't even know that was a possibility.

Sometimes I feel like the poster child for what NOT to do with php.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Query Help

Post by jackpf »

You need single quotes around EVERYTHING that shoud be interpreted as a string. So..all your $_GET stuff.

Also, I think your IN() cases should be comma seperated as well...

And lol. Everyone has to learn. Better sooner than later though.
Post Reply