Page 1 of 1

$_GET syntax use [Solved]

Posted: Sun May 06, 2007 9:52 pm
by desb01
Why is this not working ???

$query_test = 'SELECT * FROM table WHERE var LIKE $_GET['varName']';

I check varName and it has the good value.

Thanx in advance for help.

Re: $_GET syntax use

Posted: Sun May 06, 2007 10:11 pm
by AKA Panama Jack
desb01 wrote:Why is this not working ???

$query_test = 'SELECT * FROM table WHERE var LIKE $_GET['varName']';

I check varName and it has the good value.

Thanx in advance for help.

Code: Select all

$query_test = "SELECT * FROM table WHERE var LIKE $_GET[varName]";
Use double quotes around the query and remove the single quotes around the element name in the $_GET variable.

Posted: Mon May 07, 2007 8:24 am
by vigge89
Also, use brackets when working with arrays when inside doublequotes, or do it outside of the doublequotes;

Code: Select all

$query_test = "SELECT * FROM table WHERE var LIKE {$_GET['varName']}";

Code: Select all

$query_test = "SELECT * FROM table WHERE var LIKE ".$_GET['varName'];

Posted: Mon May 07, 2007 8:37 am
by volka
You also need to take care of sql injections, see http://de2.php.net/security.database.sql-injection

Posted: Mon May 07, 2007 1:39 pm
by RobertGonzalez
Always quote your array indeces...

Array do's and don'ts from the manual

:(

Posted: Mon May 07, 2007 9:32 pm
by desb01
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


First of all, thank you for taking the time answering my question.

Next, I tried all of the above without any success.

The following work

Code: Select all

$query_cities = 'SELECT * FROM cities WHERE country LIKE "USA"';
The followings don't

Code: Select all

$query_cities = "SELECT * FROM cities WHERE country LIKE $_GET[countryName]";
    $query_cities = "SELECT * FROM cities WHERE country LIKE ".$_GET['countryName'];
    $query_cities = "SELECT * FROM cities WHERE country LIKE {$_GET['countryName']}";
    $query_cities = "SELECT * FROM cities WHERE country LIKE $_GET[countryName]";
The following works

Code: Select all

switch($_GET['countryName']){
    case "USA":
      echo "obj.options[obj.options.length] = new Option('New York','1');\n";
      echo "obj.options[obj.options.length] = new Option('Los Angeles','2');\n";
      echo "obj.options[obj.options.length] = new Option('Pittsburg','3');\n";
      echo "obj.options[obj.options.length] = new Option('New Hamshire','4');\n";
      break;
  }

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Mon May 07, 2007 11:43 pm
by Christopher
Almost every combination. You forgot to put quotes around the country name. And at least use the database specific escaping function if you are not going to do anything else:

Code: Select all

$country = databasespecific_escape($_GET['countryName']);
$query_cities = "SELECT * FROM cities WHERE country LIKE '$country'";

Posted: Tue May 08, 2007 12:30 am
by RobertGonzalez
All of your queries are incorrect syntax. Try these:

Code: Select all

$query_cities = "SELECT * FROM cities WHERE country LIKE '$_GET[countryName]'";
$query_cities = "SELECT * FROM cities WHERE country LIKE '".$_GET['countryName']."'";
$query_cities = "SELECT * FROM cities WHERE country LIKE '{$_GET['countryName']}'";
$query_cities = "SELECT * FROM cities WHERE country LIKE '$_GET[countryName]'";

Posted: Tue May 08, 2007 12:42 am
by neel_basu
THis will work

Code: Select all

$query_cities = "SELECT * FROM `cities` WHERE `country` LIKE '".$_GET['countryName']."'";
EDIT
-------
Oh! Sorry I overlookedd the previous post. Everah has answered you.

^_^

Posted: Thu May 10, 2007 6:10 pm
by desb01
Thank you all. It works. Me so happy ^_^

Posted: Thu May 10, 2007 7:06 pm
by volka
still prone to sql injections.

Posted: Thu May 10, 2007 7:52 pm
by RobertGonzalez
Yes, the examples I posted were only for illustration of string concatenation. Those queries are very dangerous I would recommend you NOT use them in a production environment.