Page 1 of 1

Query Help

Posted: Sat Oct 03, 2009 1:07 am
by CFROG
The following code keeps giving me the error for unknown column in where clause. The problem is that it's not a column at all, it's an array. Can't figure out why it's giving me that error. I think I may not be using the array properly, just not sure how to fix it. Here is the problem query.

Code: Select all

$lk_for = array(" ".$_GET['lf2']." ".$_GET['lf3']." ".$_GET['lf4']." ".$_GET['lf5']." ".$_GET['lf6']." ".$_GET['lf7']." ".$_GET['lf8']."");
$looking_for = implode(",", $lk_for);
 
$pag="SELECT u.*, up.* FROM users AS u INNER JOIN user_profile AS up ON u.id = up.user_id WHERE u.zip IN ({$zcodes}) AND  u.gender='$gender' AND u.age BETWEEN '$min_age' and '$max_age' AND up.lf1 OR up.lf2 OR up.lf3 OR up.lf4 OR up.lf5 OR up.lf6 OR up.lf7 IN ({$looking_for})";
{$looking_for} is what's giving me a problem.

Re: Query Help

Posted: Sat Oct 03, 2009 1:45 am
by requinix
If all those $_GET["lfX"]s are supposed to be strings then they're missing quotes in the query.

And for heaven's sake, protect yourself from SQL injection.

Re: Query Help

Posted: Sat Oct 03, 2009 2:10 am
by CFROG
How do you mean it's missing the quotes in the query? Do you mean it should look like ('$looking_for')? If so, It gives me the same error.

I'm pretty bad about not escaping my input all of the time. I assumed that if the user had no control over the input that there was no real need to. For example choosing items from a drop down menu.

Re: Query Help

Posted: Sat Oct 03, 2009 4:46 am
by jackpf
What's the error?

And no - what makes you so sure that the user is selecting from a drop down box?

Re: Query Help

Posted: Sat Oct 03, 2009 4:55 am
by CFROG
The error is "Unknown column 'example' in where clause. I'm thinking it's a problem with the array because if I load more than one value into the array I get a syntax error. If the array is holding 'example1' and 'example2' it will say the syntax error is near 'exampl2'.

Unless they alter the URL and resubmit the page I would think the only place user input could come from is the form I'm sending it from.

Re: Query Help

Posted: Sat Oct 03, 2009 5:03 am
by jackpf
Probably because you need quotes - it's being interpreted as a table name.

And what's to stop the user using javascript to make it into a text input? Or rewriting the page? Or even writing a program to submit its own HTTP request to your process page?

Re: Query Help

Posted: Sat Oct 03, 2009 5:08 am
by CFROG
Where do I need the quotes? $zcodes is an array and I have no issues with that.

I suppose nothing is stopping them from doing those things, heck, I didn't even know that was a possibility.

Sometimes I feel like the poster child for what NOT to do with php.

Re: Query Help

Posted: Sat Oct 03, 2009 11:33 am
by jackpf
You need single quotes around EVERYTHING that shoud be interpreted as a string. So..all your $_GET stuff.

Also, I think your IN() cases should be comma seperated as well...

And lol. Everyone has to learn. Better sooner than later though.