champoi Posted November 26, 2008 Share Posted November 26, 2008 i'm creating a program that selects in a database multiple values depending on how the user wants, ex. i have a drop down box that has values ranging from 0-999, and the user will choose the upper limit, for example, if the user enters 3, then entries with 0,1,2 and 3 must be stored in the mysql_fetch_assoc command, this is what i tried: $sql2 = "SELECT * FROM `my_db` WHERE `expschool`<='".$_POST['expschool']."' AND `status`='1'"; $qry2 = mysql_query($sql2) or die(mysql_error()); $list = mysql_fetch_assoc($qry2); but this was the error showed "mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource", and i think the query is kinda stupid, haha, cant think of anything, ELP! Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/ Share on other sites More sharing options...
Maq Posted November 26, 2008 Share Posted November 26, 2008 Try this: $exp_school = $_POST['expschool']; $sql2 = "SELECT * FROM my_db WHERE expschool $qry2 = mysql_query($sql2) or die(mysql_error()); $list = mysql_fetch_assoc($qry2); Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699625 Share on other sites More sharing options...
Psycho Posted November 26, 2008 Share Posted November 26, 2008 The backquotes should be fine. If the expschool and status are numeric fields you can try removing the single quotes from the seach values (as Maq did for the status, but not the expschool). $exp_school = mysql_real_escape_string(trim($_POST['expschool'])); $sql2 = "SELECT * FROM my_db WHERE expschool <= $exp_school AND status = 1"; Also, have you validated the value for $exp_school? You should, at a minimum, use mysql_real_escape_string() on that value before running a query on it - otherwise you are opening a hugh hole for SQL Injection. Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699636 Share on other sites More sharing options...
Maq Posted November 26, 2008 Share Posted November 26, 2008 Also, have you validated the value for $exp_school? You should, at a minimum, use mysql_real_escape_string() on that value before running a query on it - otherwise you are opening a hugh hole for SQL Injection. Ah yes, I missed a very important issue regarding security. Thanks mjdamato Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699641 Share on other sites More sharing options...
champoi Posted November 26, 2008 Author Share Posted November 26, 2008 The backquotes should be fine. If the expschool and status are numeric fields you can try removing the single quotes from the seach values (as Maq did for the status, but not the expschool). $exp_school = mysql_real_escape_string(trim($_POST['expschool'])); $sql2 = "SELECT * FROM my_db WHERE expschool <= $exp_school AND status = 1"; Also, have you validated the value for $exp_school? You should, at a minimum, use mysql_real_escape_string() on that value before running a query on it - otherwise you are opening a hugh hole for SQL Injection. i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou , just ate food, i'll try your suggestions and corrections Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699662 Share on other sites More sharing options...
Maq Posted November 26, 2008 Share Posted November 26, 2008 i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou , just ate food, i'll try your suggestions and corrections Ok, that's your choice... It's always good to cleanse the value anyway because if you decide to change the way that it is inputted or copy this code for something else, etc... you may have a problem. Anyway, your problem lays here; The single quotes from the post get confused with the single quotes surrounding the actual value. You don't even need those single quotes because you're comparing integers. A good way to debug this situation is echo out $sql2 to see the actual query statement that is taking place. Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699672 Share on other sites More sharing options...
revraz Posted November 26, 2008 Share Posted November 26, 2008 Why don't people use { } around arrays? Makes it so much easier. Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699673 Share on other sites More sharing options...
Psycho Posted November 26, 2008 Share Posted November 26, 2008 i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou , just ate food, i'll try your suggestions and corrections A Select list cannot be relied upon for validation. A person can "POST" data to your site without using your form(s). Anyone with enough knowledge to perform SQL injection could easily create a copy of your form and modify it to allow any values they want, and then post that data to your site. Never trust any data coming from the user. Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699683 Share on other sites More sharing options...
Maq Posted November 26, 2008 Share Posted November 26, 2008 Why don't people use { } around arrays? Makes it so much easier. Arrays, where? Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699684 Share on other sites More sharing options...
champoi Posted November 26, 2008 Author Share Posted November 26, 2008 i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou , just ate food, i'll try your suggestions and corrections Ok, that's your choice... It's always good to cleanse the value anyway because if you decide to change the way that it is inputted or copy this code for something else, etc... you may have a problem. Anyway, your problem lays here; <='".$_POST['expschool']."' AND The single quotes from the post get confused with the single quotes surrounding the actual value. You don't even need those single quotes because you're comparing integers. A good way to debug this situation is echo out $sql2 to see the actual query statement that is taking place. thnx, now it's working Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699685 Share on other sites More sharing options...
champoi Posted November 26, 2008 Author Share Posted November 26, 2008 Why don't people use { } around arrays? Makes it so much easier. i think it's easier, but i just want to make sure that i dont mess up codes, it's already a great thing for me to do some working scripts, i think i'll be using those when i'm really tired of typing codes, but for now, i'll settle with [' '] Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699687 Share on other sites More sharing options...
champoi Posted November 26, 2008 Author Share Posted November 26, 2008 i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou , just ate food, i'll try your suggestions and corrections Never trust any data coming from the user. I'll keep that in mind thnx Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699688 Share on other sites More sharing options...
Psycho Posted November 26, 2008 Share Posted November 26, 2008 Why don't people use { } around arrays? Makes it so much easier. i think it's easier, but i just want to make sure that i dont mess up codes, it's already a great thing for me to do some working scripts, i think i'll be using those when i'm really tired of typing codes, but for now, i'll settle with [' '] I beleive he's referring to this bit of code $sql2 = "SELECT * FROM `my_db` WHERE `expschool`<='".$_POST['expschool']."' AND `status`='1'"; Instead of "exiting" the quotes for the POST value, this could have been done: $sql2 = "SELECT * FROM `my_db` WHERE `expschool`<='{$_POST['expschool']}' AND `status`='1'"; In fact, you can put {} around any variable within a double quoted string and the {} are stripped out of the result. I do agree that it makes it much more readable when decyphering the variables within a string. Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699787 Share on other sites More sharing options...
revraz Posted November 26, 2008 Share Posted November 26, 2008 You do know that $_POST variables are an array right? Why don't people use { } around arrays? Makes it so much easier. Arrays, where? Quote Link to comment https://forums.phpfreaks.com/topic/134381-solved-mysql-select-with-multiple-values/#findComment-699799 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.