Skipjackrick Posted February 8, 2009 Share Posted February 8, 2009 I am passing a variable through a URL and I want to use the variable in a query. However it doesn't work. Here is an example link that holds the variable. http://www.mysite.com/teampage.php?team_idvar=1 This is what my query looks like. (Code below) I used..... $_REQUEST['team_idvar'] Is the correct? When I put the actual team_id it works so i know the rest of my code is good. I get this error Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING <?php $query_anglertotals = "SELECT species_id, SUM(IF(angler='1',1,0)) AS anglerA, SUM(IF(angler='2',1,0)) AS anglerB, SUM(IF(angler='Curmit',1,0)) AS anglerC, SUM(IF(angler='Old Salt',1,0)) AS anglerD, SUM(IF(angler='3',1,0)) AS anglerE, SUM(IF(team_id=1,1,0)) AS teamtotal FROM submit WHERE species_id<25 AND yyyy=2008 AND team_id=$_REQUEST['team_idvar'] GROUP BY species_id ORDER BY species_id"; $anglertotals = mysql_query($query_anglertotals) or die(mysql_error()); ?> Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/ Share on other sites More sharing options...
bothwell Posted February 8, 2009 Share Posted February 8, 2009 Set it as a variable just before you do your query, and then call the variable instead of the $_REQUEST inside it. SQL doesn't really seem to like $_REQUESTs being inside queries. Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757684 Share on other sites More sharing options...
Skipjackrick Posted February 8, 2009 Author Share Posted February 8, 2009 Set it as a variable just before you do your query, and then call the variable instead of the $_REQUEST inside it. SQL doesn't really seem to like $_REQUESTs being inside queries. Thanks! Worked like a champ! As I was doing some google searches I read a few things about SQL injection by passing variables through URL's? How can I protect against this? The material I was reading didn't explain it very well. Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757687 Share on other sites More sharing options...
premiso Posted February 8, 2009 Share Posted February 8, 2009 mysql_real_escape_string any string data going in and validate your data. If you expect an ID, make sure that it is numeric and not a string/anything else. etc. Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757690 Share on other sites More sharing options...
Skipjackrick Posted February 8, 2009 Author Share Posted February 8, 2009 mysql_real_escape_string any string data going in and validate your data. If you expect an ID, make sure that it is numeric and not a string/anything else. etc. Ah, thanks for the help. Yes, I will only be passing numeric Id's. This will make it easy. Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757691 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.