Clinton Posted January 6, 2009 Share Posted January 6, 2009 I've got a table that lists office locations by city and state. Sometimes there are several offices in one city. Right now I am using the following code to pull up the citys City: <select name="city" onchange='this.form.submit()'> <?php $sql = "SELECT city FROM thelist WHERE state = '$state' ORDER BY city"; $rs = mysql_query($sql); while($row = mysql_fetch_array($rs)) { extract($row); echo "<option value='$city'>$city</option>"; } ?> </select> But if there is three offices in one city then it will echo out that same city 3 times in the drop down list. What's the best way to correct this so it only shows once? Quote Link to comment Share on other sites More sharing options...
hobeau Posted January 6, 2009 Share Posted January 6, 2009 <?php $sql = "SELECT DISTINCT city FROM thelist WHERE state = '$state' ORDER BY city"; ?> Quote Link to comment Share on other sites More sharing options...
Clinton Posted January 6, 2009 Author Share Posted January 6, 2009 Thanks beau. That worked perfectly. I didn't know that existed. Time to look it up. Quote Link to comment Share on other sites More sharing options...
hobeau Posted January 6, 2009 Share Posted January 6, 2009 One more thing, you really should use mysql_real_escape_string($state). That is very important to prevent sql injection. Quote Link to comment Share on other sites More sharing options...
Clinton Posted January 6, 2009 Author Share Posted January 6, 2009 Ok, how can code be injected if it's just querying? Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted January 6, 2009 Share Posted January 6, 2009 Ok, how can code be injected if it's just querying? Where does $state come from? Quote Link to comment Share on other sites More sharing options...
Clinton Posted January 6, 2009 Author Share Posted January 6, 2009 db connect include then an sql statement... <?php $sql = "SELECT * FROM $tbl_name WHERE (dtype = '$dtype' OR dtypewc = '$dtype') AND (dmajorp = '$smajor' OR dmajorc1 = '$smajor' OR dmajorc2 = '$smajor' OR dmajorc3 = '$smajor') $state_where $city_where ORDER BY jpted LIMIT $start, $limit"; $result = mysql_query($sql); ?> Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted January 6, 2009 Share Posted January 6, 2009 db connect include then an sql statement... <?php $sql = "SELECT * FROM $tbl_name WHERE (dtype = '$dtype' OR dtypewc = '$dtype') AND (dmajorp = '$smajor' OR dmajorc1 = '$smajor' OR dmajorc2 = '$smajor' OR dmajorc3 = '$smajor') $state_where $city_where ORDER BY jpted LIMIT $start, $limit"; $result = mysql_query($sql); ?> That doesn't really tell me anything. Let me rephrase: is $state's value derived by the script, or is it supplied by the user? Quote Link to comment Share on other sites More sharing options...
hobeau Posted January 6, 2009 Share Posted January 6, 2009 hunna03, I've had to fix many a site (not built by me) that were just querying and didn't escape their sql statements. It doesn't matter what you are trying to do, if it gets injected into your sql statement it can easily be turned into an insert, update, or delete statement (I'm assuming that $state is coming from the client). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.