Jump to content

How to Write this Query Properly?


glassfish

Recommended Posts

You can't just drop some PHP value into a query string, especially when that value comes from the user. This makes your application wide open to SQL injection attacks and all kinds of bugs.

 

Use prepared statements to properly pass values to the database system. Note that you'll need the PDO or the MySQLi extension. If you're still using the old mysql_* functions, it's time to switch.

Link to comment
Share on other sites

If $_GET['id'] is supposed to be a number, you can modify the query as follows:

$query = "SELECT * FROM ttn01 WHERE id = {$_GET['id']}";

The curly brackets are needed when you include an array variable ($_GET['id']), which has quotes around the index, in a string.

 

As the others have suggested, you'll also want to take the necessary precautions to protect your query from injection attacks. If you're unable to use prepared statements and $_GET['id'] is supposed to be a number, you can run the variable through ctype_digit():

http://php.net/manual/en/function.ctype-digit.php

 

If $_GET['id'] contains anything other than a number, throw an error instead of running the query.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.