Skipjackrick Posted February 8, 2009 Share Posted February 8, 2009 I am passing a variable through a URL and I want to use the variable in a query. However it doesn't work. Here is an example link that holds the variable. http://www.mysite.com/teampage.php?team_idvar=1 This is what my query looks like. (Code below) I used..... $_REQUEST['team_idvar'] Is the correct? When I put the actual team_id it works so i know the rest of my code is good. I get this error Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING <?php $query_anglertotals = "SELECT species_id, SUM(IF(angler='1',1,0)) AS anglerA, SUM(IF(angler='2',1,0)) AS anglerB, SUM(IF(angler='Curmit',1,0)) AS anglerC, SUM(IF(angler='Old Salt',1,0)) AS anglerD, SUM(IF(angler='3',1,0)) AS anglerE, SUM(IF(team_id=1,1,0)) AS teamtotal FROM submit WHERE species_id<25 AND yyyy=2008 AND team_id=$_REQUEST['team_idvar'] GROUP BY species_id ORDER BY species_id"; $anglertotals = mysql_query($query_anglertotals) or die(mysql_error()); ?> Quote Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/ Share on other sites More sharing options...
bothwell Posted February 8, 2009 Share Posted February 8, 2009 Set it as a variable just before you do your query, and then call the variable instead of the $_REQUEST inside it. SQL doesn't really seem to like $_REQUESTs being inside queries. Quote Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757684 Share on other sites More sharing options...
Skipjackrick Posted February 8, 2009 Author Share Posted February 8, 2009 Set it as a variable just before you do your query, and then call the variable instead of the $_REQUEST inside it. SQL doesn't really seem to like $_REQUESTs being inside queries. Thanks! Worked like a champ! As I was doing some google searches I read a few things about SQL injection by passing variables through URL's? How can I protect against this? The material I was reading didn't explain it very well. Quote Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757687 Share on other sites More sharing options...
premiso Posted February 8, 2009 Share Posted February 8, 2009 mysql_real_escape_string any string data going in and validate your data. If you expect an ID, make sure that it is numeric and not a string/anything else. etc. Quote Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757690 Share on other sites More sharing options...
Skipjackrick Posted February 8, 2009 Author Share Posted February 8, 2009 mysql_real_escape_string any string data going in and validate your data. If you expect an ID, make sure that it is numeric and not a string/anything else. etc. Ah, thanks for the help. Yes, I will only be passing numeric Id's. This will make it easy. Quote Link to comment https://forums.phpfreaks.com/topic/144391-passing-variables-to-a-query/#findComment-757691 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.