seany123 Posted November 19, 2009 Share Posted November 19, 2009 this is connected to my other post asking for help with a searching page... i have this query... $query = $db->execute("SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."' && id = '".$_POST['id']."' order by level desc limit 20"); now what i need help with is if $_POST['id'] is blank... then i wanna set $_POST['id'] so the query says something like this.. $_POST['id'] = anything so in the query above it will return all players with ANY id... Quote Link to comment Share on other sites More sharing options...
Maq Posted November 19, 2009 Share Posted November 19, 2009 1) Don't use raw POST data in your query. That's a serious security vulnerability. 2) Check to see if POST has a value by using isset, then you can structure your query appropriately. Remember if you take out the condition that checks for a specific 'id' it will include all ids. Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted November 19, 2009 Share Posted November 19, 2009 $query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'"; if (isset($_POST['id'] && !empty($_POST['id']){ $query .= "&& id = '".$_POST['id']."'"; } $query .= "order by level desc limit 20"; something like that should work. untested edit: as Maq said, using mysql real escape string or some other sanitizing function is highly recommended Quote Link to comment Share on other sites More sharing options...
seany123 Posted November 19, 2009 Author Share Posted November 19, 2009 $query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'"; if (isset($_POST['id'] && !empty($_POST['id']){ $query .= "&& id = '".$_POST['id']."'"; } $query .= "order by level desc limit 20"; something like that should work. untested edit: as Maq said, using mysql real escape string or some other sanitizing function is highly recommended that works with this right? $query = $db->execute("SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."' && id = '".$_POST['id']."' order by level desc limit 20"); while($member = $query->fetchrow()) { also using your code gave me this error: Parse error: syntax error, unexpected T_BOOLEAN_AND, expecting ',' or ')' Quote Link to comment Share on other sites More sharing options...
seany123 Posted November 19, 2009 Author Share Posted November 19, 2009 i was just thinking instead of that cant i just do this: <?php $query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'"; if ($_POST['id']){ $query .= "&& id = '".$_POST['id']."'"; } $query .= "order by level desc limit 20"; while($member = $query->fetchrow()) { Quote Link to comment Share on other sites More sharing options...
seany123 Posted November 20, 2009 Author Share Posted November 20, 2009 okay so i kept getting this error: Call to a member function fetchrow() on a non-object so instead of using $query as my member->fetchrow i did this: $query2 = $db->execute("".$query." order by level desc limit 20"); so now i have this code: if (!$_POST['minlevel']){ $_POST['minlevel'] = 1; } if (!$_POST['maxlevel']){ $_POST['maxlevel'] = 500; } if (!$_POST['money']){ $_POST['money'] = 0; } $username = $_POST['username']; $query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."'"; if (isset($_POST['id']) && !empty($_POST['id'])){ $query .= " && id = '".$_POST['id']."'"; } if (isset($_POST['username']) && !empty($_POST['username'])){ $query .= " && username LIKE '%$username%'"; } if ($_POST['city'] >= 1){ $query .= " && city_id = '".$_POST['city']."'"; } if (isset($_POST['money']) && !empty($_POST['money'])){ $query .= " && money >= '".$_POST['money']."'"; } if ($_POST['attackable'] == 1){ $query .= " && hospital <= '0' && prison <= '0' && hp >= maxhp * 0.20"; } if ($_POST['attackable'] == 0){ $query .= " && hospital >= '1' && prison >= '1' && hp < maxhp * 0.20"; } $query2 = $db->execute("".$query." order by level desc limit 20"); while($member = $query2->fetchrow()) { echo $member['username']; echo "<br>"; } except the problem is that its only returning 1 result... when i know for a fact there are plenty... whats gone wrong? before i made $query2 it was returning more than 1 row... so what have i done wrong? Quote Link to comment Share on other sites More sharing options...
seany123 Posted November 20, 2009 Author Share Posted November 20, 2009 okay i have everything working except this: im not sure how its supposed to be written: if ($_POST['status'] == 1){ $query .= " && last_active >= ".Time()-900 .""; } if ($_POST['status'] == 2){ $query .= " && last_active < ".Time()-900 .""; } Quote Link to comment Share on other sites More sharing options...
seany123 Posted November 20, 2009 Author Share Posted November 20, 2009 anyone know how i can do the above queries? Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted November 20, 2009 Share Posted November 20, 2009 well the function time() (assuming you are using the built in function, not your own) is time() not Time(). Beyond that I don't see much of a problem. However, you should always sanitize your input variables, via mysql_real_escape_string() or whatever is appropriate for your database Quote Link to comment Share on other sites More sharing options...
seany123 Posted November 20, 2009 Author Share Posted November 20, 2009 well the function time() (assuming you are using the built in function, not your own) is time() not Time(). Beyond that I don't see much of a problem. However, you should always sanitize your input variables, via mysql_real_escape_string() or whatever is appropriate for your database it is the built in function but its still not working.... i will be worrying about the security issues once i have a working page thanks. Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted November 20, 2009 Share Posted November 20, 2009 well how exactly is it not working. Echo the query and post what the output is Quote Link to comment Share on other sites More sharing options...
seany123 Posted November 20, 2009 Author Share Posted November 20, 2009 it was echoing "-900". so i just turned time()-900 into a variable and now its working. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.