Jump to content

Recommended Posts

this is connected to my other post asking for help with a searching page... i have this query...

 

 


$query = $db->execute("SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."' && id = '".$_POST['id']."' order by level desc limit 20");

 

 

now what i need help with is if $_POST['id'] is blank... then i wanna set $_POST['id'] so the query says something like this..

 

$_POST['id'] = anything

 

 

so in the query above it will return all players with ANY id...

Link to comment
https://forums.phpfreaks.com/topic/182207-solved-help-with-query/
Share on other sites

1) Don't use raw POST data in your query.  That's a serious security vulnerability.

2) Check to see if POST has a value by using isset, then you can structure your query appropriately.  Remember if you take out the condition that checks for a specific 'id' it will include all ids.

 

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'";
if (isset($_POST['id'] && !empty($_POST['id']){
$query .= "&& id = '".$_POST['id']."'";
}
$query .= "order by level desc limit 20";

 

 

something like that should work. untested

 

edit: as Maq said, using mysql real escape string or some other sanitizing function is highly recommended

 

 

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'";
if (isset($_POST['id'] && !empty($_POST['id']){
$query .= "&& id = '".$_POST['id']."'";
}
$query .= "order by level desc limit 20";

 

 

something like that should work. untested

 

edit: as Maq said, using mysql real escape string or some other sanitizing function is highly recommended

 

 

that works with this right?

 

$query = $db->execute("SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."' && id = '".$_POST['id']."' order by level desc limit 20");

while($member = $query->fetchrow())
{

 

 

also using your code gave me this error:

 

Parse error: syntax error, unexpected T_BOOLEAN_AND, expecting ',' or ')'

i was just thinking instead of that cant i just do this:

 

<?php

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'";
if ($_POST['id']){
$query .= "&& id = '".$_POST['id']."'";
}
$query .= "order by level desc limit 20";


while($member = $query->fetchrow())
{

okay so i kept getting this error:

 

Call to a member function fetchrow() on a non-object

 

so instead of using $query as my member->fetchrow i did this:

 

$query2 = $db->execute("".$query." order by level desc limit 20");

 

so now i have this code:

if (!$_POST['minlevel']){
$_POST['minlevel'] = 1;		
}

if (!$_POST['maxlevel']){	
$_POST['maxlevel'] = 500;	
}

if (!$_POST['money']){	
$_POST['money'] = 0;	
}

$username = $_POST['username'];

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."'";
if (isset($_POST['id']) && !empty($_POST['id'])){
$query .= " && id = '".$_POST['id']."'";
}

if (isset($_POST['username']) && !empty($_POST['username'])){
$query .= " && username LIKE '%$username%'";
}

if ($_POST['city'] >= 1){
$query .= " && city_id = '".$_POST['city']."'";
}

if (isset($_POST['money']) && !empty($_POST['money'])){
$query .= " && money >= '".$_POST['money']."'";
}

if ($_POST['attackable'] == 1){
$query .= " && hospital <= '0' && prison <= '0' && hp >= maxhp * 0.20";
}

if ($_POST['attackable'] == 0){
$query .= " && hospital >= '1' && prison >= '1' && hp < maxhp * 0.20";
}

$query2 = $db->execute("".$query." order by level desc limit 20");

while($member = $query2->fetchrow())
{
echo $member['username'];
echo "<br>";
}

 

 

except the problem is that its only returning 1 result... when i know for a fact there are plenty... whats gone wrong?

 

before i made $query2 it was returning more than 1 row... so what have i done wrong?

well the function time() (assuming you are using the built in function, not your own) is time() not Time(). Beyond that I don't see much of a problem.

 

However, you should always sanitize your input variables, via mysql_real_escape_string() or whatever is appropriate for your database

well the function time() (assuming you are using the built in function, not your own) is time() not Time(). Beyond that I don't see much of a problem.

 

However, you should always sanitize your input variables, via mysql_real_escape_string() or whatever is appropriate for your database

 

it is the built in function but its still not working.... i will be worrying about the security issues once i have a working page

 

thanks.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.