glassfish Posted September 17, 2014 Share Posted September 17, 2014 The Query: $query = "SELECT * FROM ttn01 WHERE id = $_GET['id']"; I am getting an error. Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/ Share on other sites More sharing options...
Jacques1 Posted September 17, 2014 Share Posted September 17, 2014 You can't just drop some PHP value into a query string, especially when that value comes from the user. This makes your application wide open to SQL injection attacks and all kinds of bugs. Use prepared statements to properly pass values to the database system. Note that you'll need the PDO or the MySQLi extension. If you're still using the old mysql_* functions, it's time to switch. Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/#findComment-1491420 Share on other sites More sharing options...
ginerjm Posted September 17, 2014 Share Posted September 17, 2014 if id is NOT an integer value you need to wrap the argument in single quotes and curly braces Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/#findComment-1491421 Share on other sites More sharing options...
Jacques1 Posted September 17, 2014 Share Posted September 17, 2014 if id is NOT an integer value you need to wrap the argument in single quotes and curly braces So that he gets a nice SQL injection vulnerability? C'mon. Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/#findComment-1491423 Share on other sites More sharing options...
glassfish Posted September 17, 2014 Author Share Posted September 17, 2014 Can you give me an example, please. Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/#findComment-1491424 Share on other sites More sharing options...
ginerjm Posted September 17, 2014 Share Posted September 17, 2014 You need to do what Jacques1 indicated. I merely told you one facet of writing a proper query statement, but he told you how to do things the proper way. So roll up your sleeves and do some research! Coders help those who help themselves. Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/#findComment-1491426 Share on other sites More sharing options...
Jacques1 Posted September 17, 2014 Share Posted September 17, 2014 The blue underlined text snippets in my reply are actually links. Click on them and you'll get plenty of examples. Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/#findComment-1491427 Share on other sites More sharing options...
cyberRobot Posted September 17, 2014 Share Posted September 17, 2014 If $_GET['id'] is supposed to be a number, you can modify the query as follows: $query = "SELECT * FROM ttn01 WHERE id = {$_GET['id']}"; The curly brackets are needed when you include an array variable ($_GET['id']), which has quotes around the index, in a string. As the others have suggested, you'll also want to take the necessary precautions to protect your query from injection attacks. If you're unable to use prepared statements and $_GET['id'] is supposed to be a number, you can run the variable through ctype_digit(): http://php.net/manual/en/function.ctype-digit.php If $_GET['id'] contains anything other than a number, throw an error instead of running the query. Quote Link to comment https://forums.phpfreaks.com/topic/291131-how-to-write-this-query-properly/#findComment-1491429 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.