Page 1 of 1
$_GET syntax use [Solved]
Posted: Sun May 06, 2007 9:52 pm
by desb01
Why is this not working ???
$query_test = 'SELECT * FROM table WHERE var LIKE $_GET['varName']';
I check varName and it has the good value.
Thanx in advance for help.
Re: $_GET syntax use
Posted: Sun May 06, 2007 10:11 pm
by AKA Panama Jack
desb01 wrote:Why is this not working ???
$query_test = 'SELECT * FROM table WHERE var LIKE $_GET['varName']';
I check varName and it has the good value.
Thanx in advance for help.
Code: Select all
$query_test = "SELECT * FROM table WHERE var LIKE $_GET[varName]";
Use double quotes around the query and remove the single quotes around the element name in the $_GET variable.
Posted: Mon May 07, 2007 8:24 am
by vigge89
Also, use brackets when working with arrays when inside doublequotes, or do it outside of the doublequotes;
Code: Select all
$query_test = "SELECT * FROM table WHERE var LIKE {$_GET['varName']}";
Code: Select all
$query_test = "SELECT * FROM table WHERE var LIKE ".$_GET['varName'];
Posted: Mon May 07, 2007 8:37 am
by volka
You also need to take care of sql injections, see
http://de2.php.net/security.database.sql-injection
Posted: Mon May 07, 2007 1:39 pm
by RobertGonzalez
:(
Posted: Mon May 07, 2007 9:32 pm
by desb01
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
First of all, thank you for taking the time answering my question.
Next, I tried all of the above without any success.
The following work
Code: Select all
$query_cities = 'SELECT * FROM cities WHERE country LIKE "USA"';
The followings don't
Code: Select all
$query_cities = "SELECT * FROM cities WHERE country LIKE $_GET[countryName]";
$query_cities = "SELECT * FROM cities WHERE country LIKE ".$_GET['countryName'];
$query_cities = "SELECT * FROM cities WHERE country LIKE {$_GET['countryName']}";
$query_cities = "SELECT * FROM cities WHERE country LIKE $_GET[countryName]";
The following works
Code: Select all
switch($_GET['countryName']){
case "USA":
echo "obj.options[obj.options.length] = new Option('New York','1');\n";
echo "obj.options[obj.options.length] = new Option('Los Angeles','2');\n";
echo "obj.options[obj.options.length] = new Option('Pittsburg','3');\n";
echo "obj.options[obj.options.length] = new Option('New Hamshire','4');\n";
break;
}
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Mon May 07, 2007 11:43 pm
by Christopher
Almost every combination. You forgot to put quotes around the country name. And at least use the database specific escaping function if you are not going to do anything else:
Code: Select all
$country = databasespecific_escape($_GET['countryName']);
$query_cities = "SELECT * FROM cities WHERE country LIKE '$country'";
Posted: Tue May 08, 2007 12:30 am
by RobertGonzalez
All of your queries are incorrect syntax. Try these:
Code: Select all
$query_cities = "SELECT * FROM cities WHERE country LIKE '$_GET[countryName]'";
$query_cities = "SELECT * FROM cities WHERE country LIKE '".$_GET['countryName']."'";
$query_cities = "SELECT * FROM cities WHERE country LIKE '{$_GET['countryName']}'";
$query_cities = "SELECT * FROM cities WHERE country LIKE '$_GET[countryName]'";
Posted: Tue May 08, 2007 12:42 am
by neel_basu
THis will work
Code: Select all
$query_cities = "SELECT * FROM `cities` WHERE `country` LIKE '".$_GET['countryName']."'";
EDIT
-------
Oh! Sorry I overlookedd the previous post. Everah has answered you.
^_^
Posted: Thu May 10, 2007 6:10 pm
by desb01
Thank you all. It works. Me so happy ^_^
Posted: Thu May 10, 2007 7:06 pm
by volka
still prone to sql injections.
Posted: Thu May 10, 2007 7:52 pm
by RobertGonzalez
Yes, the examples I posted were only for illustration of string concatenation. Those queries are very dangerous I would recommend you NOT use them in a production environment.