Jump to content

[SOLVED] help with query


seany123

Recommended Posts

this is connected to my other post asking for help with a searching page... i have this query...

 

 


$query = $db->execute("SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."' && id = '".$_POST['id']."' order by level desc limit 20");

 

 

now what i need help with is if $_POST['id'] is blank... then i wanna set $_POST['id'] so the query says something like this..

 

$_POST['id'] = anything

 

 

so in the query above it will return all players with ANY id...

Link to comment
https://forums.phpfreaks.com/topic/182207-solved-help-with-query/
Share on other sites

1) Don't use raw POST data in your query.  That's a serious security vulnerability.

2) Check to see if POST has a value by using isset, then you can structure your query appropriately.  Remember if you take out the condition that checks for a specific 'id' it will include all ids.

 

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'";
if (isset($_POST['id'] && !empty($_POST['id']){
$query .= "&& id = '".$_POST['id']."'";
}
$query .= "order by level desc limit 20";

 

 

something like that should work. untested

 

edit: as Maq said, using mysql real escape string or some other sanitizing function is highly recommended

 

 

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'";
if (isset($_POST['id'] && !empty($_POST['id']){
$query .= "&& id = '".$_POST['id']."'";
}
$query .= "order by level desc limit 20";

 

 

something like that should work. untested

 

edit: as Maq said, using mysql real escape string or some other sanitizing function is highly recommended

 

 

that works with this right?

 

$query = $db->execute("SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."' && id = '".$_POST['id']."' order by level desc limit 20");

while($member = $query->fetchrow())
{

 

 

also using your code gave me this error:

 

Parse error: syntax error, unexpected T_BOOLEAN_AND, expecting ',' or ')'

i was just thinking instead of that cant i just do this:

 

<?php

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."' && username LIKE '%$username%' && money >= '".$_POST['money']."'";
if ($_POST['id']){
$query .= "&& id = '".$_POST['id']."'";
}
$query .= "order by level desc limit 20";


while($member = $query->fetchrow())
{

okay so i kept getting this error:

 

Call to a member function fetchrow() on a non-object

 

so instead of using $query as my member->fetchrow i did this:

 

$query2 = $db->execute("".$query." order by level desc limit 20");

 

so now i have this code:

if (!$_POST['minlevel']){
$_POST['minlevel'] = 1;		
}

if (!$_POST['maxlevel']){	
$_POST['maxlevel'] = 500;	
}

if (!$_POST['money']){	
$_POST['money'] = 0;	
}

$username = $_POST['username'];

$query = "SELECT * FROM players WHERE level >= '".$_POST['minlevel']."' && level <= '".$_POST['maxlevel']."'";
if (isset($_POST['id']) && !empty($_POST['id'])){
$query .= " && id = '".$_POST['id']."'";
}

if (isset($_POST['username']) && !empty($_POST['username'])){
$query .= " && username LIKE '%$username%'";
}

if ($_POST['city'] >= 1){
$query .= " && city_id = '".$_POST['city']."'";
}

if (isset($_POST['money']) && !empty($_POST['money'])){
$query .= " && money >= '".$_POST['money']."'";
}

if ($_POST['attackable'] == 1){
$query .= " && hospital <= '0' && prison <= '0' && hp >= maxhp * 0.20";
}

if ($_POST['attackable'] == 0){
$query .= " && hospital >= '1' && prison >= '1' && hp < maxhp * 0.20";
}

$query2 = $db->execute("".$query." order by level desc limit 20");

while($member = $query2->fetchrow())
{
echo $member['username'];
echo "<br>";
}

 

 

except the problem is that its only returning 1 result... when i know for a fact there are plenty... whats gone wrong?

 

before i made $query2 it was returning more than 1 row... so what have i done wrong?

well the function time() (assuming you are using the built in function, not your own) is time() not Time(). Beyond that I don't see much of a problem.

 

However, you should always sanitize your input variables, via mysql_real_escape_string() or whatever is appropriate for your database

well the function time() (assuming you are using the built in function, not your own) is time() not Time(). Beyond that I don't see much of a problem.

 

However, you should always sanitize your input variables, via mysql_real_escape_string() or whatever is appropriate for your database

 

it is the built in function but its still not working.... i will be worrying about the security issues once i have a working page

 

thanks.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.