ldoozer Posted July 9, 2007 Share Posted July 9, 2007 Hi all, please could somebody help me get this query to work. I need to add ORDER BY SportTitle ASC to the end but can not get it to be valid. $query = "SELECT * FROM sports s, categories c, sport_catog sc WHERE s.SportId = sc.SportId AND c.CategId = sc.CategId AND c.CategId = ".$_GET['catog']; Link to comment https://forums.phpfreaks.com/topic/59151-sql-query/ Share on other sites More sharing options...
pikemsu28 Posted July 9, 2007 Share Posted July 9, 2007 $query = "SELECT * FROM sports s, categories c, sport_catog sc WHERE s.SportId = sc.SportId AND c.CategId = sc.CategId AND c.CategId = ".$_GET['catog']." ORDER BY xx.SportTitle ASC"; replace the xx with the alias of which table SportTitle is located in. Link to comment https://forums.phpfreaks.com/topic/59151-sql-query/#findComment-293745 Share on other sites More sharing options...
per1os Posted July 9, 2007 Share Posted July 9, 2007 $query = "SELECT * FROM sports s, categories c, sport_catog sc WHERE s.SportId = sc.SportId AND c.CategId = sc.CategId AND c.CategId = ".$_GET['catog'] . " ORDER By s.SportTitle ASC"; Also be wary of SQL Injection with including the $_GET directly into the sql like that. Link to comment https://forums.phpfreaks.com/topic/59151-sql-query/#findComment-293746 Share on other sites More sharing options...
ldoozer Posted July 9, 2007 Author Share Posted July 9, 2007 Your a star - thank you . I have had a warning about sql injection before from somebody but not really shure what it means or how somebody could use it. Link to comment https://forums.phpfreaks.com/topic/59151-sql-query/#findComment-293774 Share on other sites More sharing options...
Carterhost Posted July 9, 2007 Share Posted July 9, 2007 $query = "SELECT * FROM sports s, categories c, sport_catog sc WHERE s.SportId = sc.SportId AND c.CategId = sc.CategId AND c.CategId = ".$_GET['catog'] . " ORDER By s.SportTitle ASC"; If Someone entered 1 OR 2 = 2 into the catog parameter, what would that make your SQL statement? This: WHERE s.SportId = sc.SportId AND c.CategId = sc.CategId AND c.CategId = 1 OR 2 = 2 ORDER By s.SportTitle ASC"; Which would nicely return every row in your database, because 2 will always equal 2....? Just check that your $_GET['catog'] is what you want it to be before you start pumping it into SQL statements Link to comment https://forums.phpfreaks.com/topic/59151-sql-query/#findComment-293782 Share on other sites More sharing options...
grimmier Posted July 9, 2007 Share Posted July 9, 2007 sql injection is a bad thing. basically you don't want to pass direct variables through your URL. imagine soemone passing username and password in the URl. someone just has to enter 'or1='1 as the password string in the URl and they are in. this can cause problems with many aspects, but the most obvious one for people to see is a username password example. here is a better description. http://www.unixwiz.net/techtips/sql-injection.html Link to comment https://forums.phpfreaks.com/topic/59151-sql-query/#findComment-293784 Share on other sites More sharing options...
ldoozer Posted July 9, 2007 Author Share Posted July 9, 2007 Thanks for the explanation, i will be reading up on it. Link to comment https://forums.phpfreaks.com/topic/59151-sql-query/#findComment-293812 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.