Dynamic Operator

[ahouchens]

How can I store an operator in a variable?

 

Then I want to use that variable (With the assigned operator) in a msyql query.

 

I've been able to find absolutely NOTHING on the internet. 3 + hours searching.

[teynon]

You would have to store the operator as a string.

 

Ie $b="+";

 

To use it in a MySQL query "INSERT INTO blah value='{$b}'"

or if you wanted to actually use the operator. "UPDATE BLAH set VALUE = VALUE {$b} 1"

[ahouchens]

THANK YOU. I kept thinking that I had to use eval().

 

I was making it way more complicated.

[simshaun]

Are you allowing users to enter or select this operator?

 

If so, be conscious about SQL injection (i.e. verify the operator is a valid one).

[ahouchens]

The operator is coming from user input as a select list. And the part of the site is restricted for admins only.

[teynon]

ahouchens, if you believe you can trust admins, then thats up to you, but they can still modify input on a select statement or any kind of input for that matter. It would be a simple check for you to do this:

 

if (!preg_match("@^[+=*/-]$@", $_POST['input']) {

  die("Possible SQL Injection");

}

[simshaun]

Regardless, you should validate the operator in your PHP script before actually injecting it right into your SQL statement.  It's possible to change a select box's options' value fairly easily.  If you dont validate, its possibly for anybody who happens to gain access to the admin area (illegally or not) to inject SQL.

[ahouchens]

Thank you for your security help guys. I appreciate it very much.