merkont Posted March 31, 2014 Share Posted March 31, 2014 Hey, Wrote I quick script to filter results from database. It kinda works but not sure if this is best or even secure way to do it. I know mysqli has function 'bind_params', but failed to make it work. <form action="" method="get"> <input type="checkbox" name="data" value="3" /> <input type="submit" /> <?php if( empty($_GET['data']) ) { die("GET empty"); } $mysqli = new mysqli('localhost', 'user', 'password', 'database'); $statement = "SELECT * FROM table1 WHERE id=" . $_GET['data']; $result = $mysqli->query($statement); while( $row = $result->fetch_assoc() ) { echo $row['id']; echo "<br/>"; echo $row['text']; if ($row['img'] != NULL) echo "<img src=" . $row['img'] . " > "; } ?> So just basic checkbox interface, when selected one of checkboxes and submitted, script queries database with matching ID from GET, returns results and loops through them. Inside loop checks for associated image src, if not present ignores field. I want to use this fucntions logic in my project but not sure if secure nor best/easiest way to do this. Obviously will improve interface, naming of variables etc. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 31, 2014 Share Posted March 31, 2014 (edited) EDIT: NEVER put user entered data into a query (unless you are using prepared statements). In this case you can use intval() on the value $id = intval($_GET['data']); $statement = "SELECT * FROM table1 WHERE id={$id}"; As to your issue, MySQL does not return NULL for a NULL field. Just check if the value is not empty. Plus, there are no quotes around the value if (!empty($row['img'])) { echo "<img src=\"{$row['img']}\">"; } Edited March 31, 2014 by Psycho Quote Link to comment Share on other sites More sharing options...
DavidAM Posted March 31, 2014 Share Posted March 31, 2014 While I agree that the test should be if (!empty($row['img'])); the manual says: Note: This function sets NULL fields to the PHP NULL value. for both mysql and mysqli http://php.net/manual/en/function.mysql-fetch-assoc.php http://php.net/manual/en/mysqli-result.fetch-assoc.php Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted March 31, 2014 Share Posted March 31, 2014 unless you are using prepared statements You should get an error message if you try to use superglobals along with prepared queries Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 31, 2014 Share Posted March 31, 2014 While I agree that the test should be if (!empty($row['img'])); the manual says: for both mysql and mysqli http://php.net/manual/en/function.mysql-fetch-assoc.php http://php.net/manual/en/mysqli-result.fetch-assoc.php I stand corrected. I could have sworn it did not do that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.