Clinton Posted January 6, 2009 Share Posted January 6, 2009 I've got a table that lists office locations by city and state. Sometimes there are several offices in one city. Right now I am using the following code to pull up the citys City: <select name="city" onchange='this.form.submit()'> <?php $sql = "SELECT city FROM thelist WHERE state = '$state' ORDER BY city"; $rs = mysql_query($sql); while($row = mysql_fetch_array($rs)) { extract($row); echo "<option value='$city'>$city</option>"; } ?> </select> But if there is three offices in one city then it will echo out that same city 3 times in the drop down list. What's the best way to correct this so it only shows once? Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/ Share on other sites More sharing options...
hobeau Posted January 6, 2009 Share Posted January 6, 2009 <?php $sql = "SELECT DISTINCT city FROM thelist WHERE state = '$state' ORDER BY city"; ?> Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-730945 Share on other sites More sharing options...
Clinton Posted January 6, 2009 Author Share Posted January 6, 2009 Thanks beau. That worked perfectly. I didn't know that existed. Time to look it up. Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-730948 Share on other sites More sharing options...
hobeau Posted January 6, 2009 Share Posted January 6, 2009 One more thing, you really should use mysql_real_escape_string($state). That is very important to prevent sql injection. Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-730949 Share on other sites More sharing options...
Clinton Posted January 6, 2009 Author Share Posted January 6, 2009 Ok, how can code be injected if it's just querying? Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-730950 Share on other sites More sharing options...
KevinM1 Posted January 6, 2009 Share Posted January 6, 2009 Ok, how can code be injected if it's just querying? Where does $state come from? Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-730971 Share on other sites More sharing options...
Clinton Posted January 6, 2009 Author Share Posted January 6, 2009 db connect include then an sql statement... <?php $sql = "SELECT * FROM $tbl_name WHERE (dtype = '$dtype' OR dtypewc = '$dtype') AND (dmajorp = '$smajor' OR dmajorc1 = '$smajor' OR dmajorc2 = '$smajor' OR dmajorc3 = '$smajor') $state_where $city_where ORDER BY jpted LIMIT $start, $limit"; $result = mysql_query($sql); ?> Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-730976 Share on other sites More sharing options...
KevinM1 Posted January 6, 2009 Share Posted January 6, 2009 db connect include then an sql statement... <?php $sql = "SELECT * FROM $tbl_name WHERE (dtype = '$dtype' OR dtypewc = '$dtype') AND (dmajorp = '$smajor' OR dmajorc1 = '$smajor' OR dmajorc2 = '$smajor' OR dmajorc3 = '$smajor') $state_where $city_where ORDER BY jpted LIMIT $start, $limit"; $result = mysql_query($sql); ?> That doesn't really tell me anything. Let me rephrase: is $state's value derived by the script, or is it supplied by the user? Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-730997 Share on other sites More sharing options...
hobeau Posted January 6, 2009 Share Posted January 6, 2009 hunna03, I've had to fix many a site (not built by me) that were just querying and didn't escape their sql statements. It doesn't matter what you are trying to do, if it gets injected into your sql statement it can easily be turned into an insert, update, or delete statement (I'm assuming that $state is coming from the client). Link to comment https://forums.phpfreaks.com/topic/139705-solved-best-practice/#findComment-731084 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.