Jump to content

[SOLVED] mysql select with multiple values

champoi

By champoi
in PHP Coding Help

 Share

Recommended Posts

champoi Member

champoi

Posted
Posted

i'm creating a program that selects in a database multiple values depending on how the user wants,

ex.

i have a drop down box that has values ranging from 0-999, and the user will choose the upper limit, for example, if the user enters 3, then entries with 0,1,2 and 3 must be stored in the mysql_fetch_assoc command, this is what i tried:

 

  $sql2 = "SELECT * FROM `my_db` WHERE `expschool`<='".$_POST['expschool']."' AND `status`='1'";
  $qry2 = mysql_query($sql2) or die(mysql_error());
  $list = mysql_fetch_assoc($qry2);

 

but this was the error showed "mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource", and i think the query is kinda stupid, haha, cant think of anything, ELP!

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

The backquotes should be fine. If the expschool and status are numeric fields you can try removing the single quotes from the seach values (as Maq did for the status, but not the expschool).

 

$exp_school = mysql_real_escape_string(trim($_POST['expschool']));
$sql2 = "SELECT * FROM my_db WHERE expschool <= $exp_school AND status = 1";

 

Also, have you validated the value for $exp_school? You should, at a minimum, use mysql_real_escape_string() on that value before running a query on it - otherwise you are opening a hugh hole for SQL Injection.

Link to comment
Share on other sites
Maq Prolific Member

Maq

Posted
Posted

Also, have you validated the value for $exp_school? You should, at a minimum, use mysql_real_escape_string() on that value before running a query on it - otherwise you are opening a hugh hole for SQL Injection.

 

Ah yes, I missed a very important issue regarding security.  Thanks mjdamato  ;)

Link to comment
Share on other sites
champoi Member

champoi

Posted
  • Author
Posted

The backquotes should be fine. If the expschool and status are numeric fields you can try removing the single quotes from the seach values (as Maq did for the status, but not the expschool).

 

$exp_school = mysql_real_escape_string(trim($_POST['expschool']));
$sql2 = "SELECT * FROM my_db WHERE expschool <= $exp_school AND status = 1";

 

Also, have you validated the value for $exp_school? You should, at a minimum, use mysql_real_escape_string() on that value before running a query on it - otherwise you are opening a hugh hole for SQL Injection.

 

i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou :D, just ate food, i'll try your suggestions and corrections  :D

Link to comment
Share on other sites
Maq Prolific Member

Maq

Posted
Posted
i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou :D, just ate food, i'll try your suggestions and corrections  :D

 

Ok, that's your choice...  It's always good to cleanse the value anyway because if you decide to change the way that it is inputted or copy this code for something else, etc... you may have a problem. 

 

Anyway, your problem lays here;

 

 

The single quotes from the post get confused with the single quotes surrounding the actual value.  You don't even need those single quotes because you're comparing integers.  A good way to debug this situation is echo out $sql2 to see the actual query statement that is taking place. 
Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted
i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou :D, just ate food, i'll try your suggestions and corrections  :D

 

A Select list cannot be relied upon for validation. A person can "POST" data to your site without using your form(s). Anyone with enough knowledge to perform SQL injection could easily create a copy of your form and modify it to allow any values they want, and then post that data to your site. Never trust any data coming from the user.

Link to comment
Share on other sites
champoi Member

champoi

Posted
  • Author
Posted

i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou :D, just ate food, i'll try your suggestions and corrections  :D

 

Ok, that's your choice...  It's always good to cleanse the value anyway because if you decide to change the way that it is inputted or copy this code for something else, etc... you may have a problem. 

 

Anyway, your problem lays here;

 

<='".$_POST['expschool']."' AND

 

The single quotes from the post get confused with the single quotes surrounding the actual value.  You don't even need those single quotes because you're comparing integers.  A good way to debug this situation is echo out $sql2 to see the actual query statement that is taking place.

 

thnx, now it's working :D

Link to comment
Share on other sites
champoi Member

champoi

Posted
  • Author
Posted

Why don't people use { } around arrays?  Makes it so much easier.

 

i think it's easier, but i just want to make sure that i dont mess up codes, it's already a great thing for me to do some working scripts, i think i'll be using those when i'm really tired of typing codes, but for now, i'll settle with [' '] :D

Link to comment
Share on other sites
champoi Member

champoi

Posted
  • Author
Posted

i think myql injections are impossible since im using a drop down box in the form where expschool is in, thnx for the concern thou :D, just ate food, i'll try your suggestions and corrections  :D

 

Never trust any data coming from the user.

 

I'll keep that in mind :D thnx  :D

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Why don't people use { } around arrays?  Makes it so much easier.

 

i think it's easier, but i just want to make sure that i dont mess up codes, it's already a great thing for me to do some working scripts, i think i'll be using those when i'm really tired of typing codes, but for now, i'll settle with [' '] :D

 

I beleive he's referring to this bit of code

$sql2 = "SELECT * FROM `my_db` WHERE `expschool`<='".$_POST['expschool']."' AND `status`='1'";

 

Instead of "exiting" the quotes for the POST value, this could have been done:

$sql2 = "SELECT * FROM `my_db` WHERE `expschool`<='{$_POST['expschool']}' AND `status`='1'";

 

In fact, you can put {} around any variable within a double quoted string and the {} are stripped out of the result. I do agree that it makes it much more readable when decyphering the variables within a string.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.