DFibres Posted May 4, 2020 Share Posted May 4, 2020 Trying to read through this query string to get a list of subjects (sub) and products (pro) sub2=pro73&sub2=pro76&sub2=pro79&sub2=pro90&sub2=pro92&sub3=pro73&sub3=pro74&sub3=pro87&sub3=pro90 so i need 2 -73, 2-76, 2-79, 3-73, 3-74 etc. What am i missing in this code. foreach($_POST as $key => $val) { $sub = substr($key, 3); $pro = substr($val, 3); // $links = "SELECT * FROM table WHERE sub='".$sub."' AND pro='".$pro."';"; } Quote Link to comment Share on other sites More sharing options...
gw1500se Posted May 4, 2020 Share Posted May 4, 2020 First please use the code icon (<>) and select PHP for your code. Second, where is that string coming from? It looks like the page is using GET not POST so you should me using $_GET. Third, never, ever put posted data directly into a query string. Use prepared statements only. Quote Link to comment Share on other sites More sharing options...
Barand Posted May 4, 2020 Share Posted May 4, 2020 4 hours ago, DFibres said: What am i missing in this code Without knowing what output you are expecting from that input, how can we say what's missing? The inputs are dodgy too. Each sub2 will overwrite the previous one, leaving you with 2-92 and 3-90 only. Quote Link to comment Share on other sites More sharing options...
StevenOliver Posted May 4, 2020 Share Posted May 4, 2020 (edited) I agree with the answers given. However, I'm happy to provide a dubious 1990's-style PHP answer to your dubious question 😀 <?php $dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']); foreach ($dubious_query_string_values as $var => $val) { $parts = explode('=',$val); echo 'SELECT * FROM table WHERE sub="'.substr($parts[0],3).'" AND pro = "'.substr($parts[1],3).'";'; echo '<BR>'; } ?> If your URL looks like this: www.example.com/dubious.html?sub2=pro73&sub2=pro76&sub2=pro79&sub2=pro90&sub2=pro92&sub3=pro73&sub3=pro74&sub3=pro87&sub3=pro90, the above code will give you: SELECT * FROM table WHERE sub="2" AND pro = "73"; SELECT * FROM table WHERE sub="2" AND pro = "76"; SELECT * FROM table WHERE sub="2" AND pro = "79"; SELECT * FROM table WHERE sub="2" AND pro = "90"; SELECT * FROM table WHERE sub="2" AND pro = "92"; SELECT * FROM table WHERE sub="3" AND pro = "73"; SELECT * FROM table WHERE sub="3" AND pro = "74"; SELECT * FROM table WHERE sub="3" AND pro = "87"; SELECT * FROM table WHERE sub="3" AND pro = "90"; Again, this is PHP from the 80's before hacking got invented. Please heed gw1500se's and Barand's advice: never ever put raw input into mysql queries, etc.! Edited May 4, 2020 by StevenOliver Quote Link to comment Share on other sites More sharing options...
StevenOliver Posted May 5, 2020 Share Posted May 5, 2020 Still terrible code but safer: <?php $dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']); foreach ($dubious_query_string_values as $var => $val) { $val = preg_replace('/[^\d=]/','',$val); $parts = explode('=',$val); echo 'SELECT * FROM table WHERE sub="'.$parts[0].'" AND pro = "'.$parts[1].'";'; echo '<BR>'; } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.