Quick Question about Mysql and PHP

[paulman888888]

I have my code, and would like to use the WHERE function. My code below.

$sort = isset($_GET['order']) ? mysql_real_escape_string($_GET['order']) : 'id';
$result = mysql_query("SELECT * FROM unit4_music ORDER BY $sort WHERE who=$_GET['who'] ASC"); //the part that needs editing

 

The problem is that the my URL will not always have something with the who variable.

 

Ill explain

mypage.php?who=50 <<-- thats fine because it will show everything where who equals 50

mypage.php <<-- theres know ?who=number, and when its like that i would not like to use the WHERE function.

 

Its hard to explain but i bet theres a simple solution.

 

THankyou

paul

[.josh]

so...use a condition to concat the where clause onto your query string if it's there.  Also you should not be putting variables like that directly into your query string.  You should sanitize them first.  That's just begging for sql injection.

 

 

[paulman888888]

off topic: What is so bad about

sql injection

?

 

use a condition to concat the where clause onto your query string if it's there

Sorry i dont understand what you mean?

 

thankyou

paul

 

[craygo]

just use an if statement like you did with the sort

<?php
$sort = isset($_GET['order']) ? mysql_real_escape_string($_GET['order']) : 'id';
$where = isset($_GET['who']) ? "WHERE `who` = '".mysql_real_escape_string($_GET['who'])."' " : "";
$result = mysql_query("SELECT * FROM unit4_music $where ORDER BY $sort "; ; //the part that needs editing
?>

 

Also fixed the statement, WHERE comes before ORDER

 

Ray