multichild — 2012-02-03T09:19:33-05:00 — #1
Hi, im trying to do a select * from where and, which isnt going right, can anybody see the problem.
$r=mysql_query("select * from sub_category where ((parent_Category=$_GET['cat']) AND (sub_Active=1)) order by sub_Id DESC");
weber77 — 2012-02-03T09:29:12-05:00 — #2
at least show us your database dude
cups — 2012-02-03T09:30:00-05:00 — #3
// cat is int
"select * from sub_category where ((parent_Category=". $_GET['cat'] .") AND (sub_Active=1)) order by sub_Id DESC"
the above will hold true if 'cat' is an integer, if it is a string then you have to add quotes (single quotes in this case) look at the diff very closely
// cat is a string
"select * from sub_category where ((parent_Category='". $_GET['cat'] ."') AND (sub_Active=1)) order by sub_Id DESC"
BTW, using any variable coming straight from the outside, like $_GET. is very dangerous and you should be protecting yourself from sql injection attacks.
So the above become:
// cat is int
"select * from sub_category where ((parent_Category=". (int)$_GET['cat'] .") AND (sub_Active=1)) order by sub_Id DESC"
That is an example of typecasting a var to an integer ( or 0 if it is not an integer)
// cat is a string
"select * from sub_category where ((parent_Category='". mysql_real_escape_string($_GET['cat']) ."') AND (sub_Active=1)) order by sub_Id DESC"
That is an example of escaping a string for mysql
multichild — 2012-02-03T09:31:08-05:00 — #4
Hi, what its calling for from the database is correct, I just keep getting a error message, so I was thinking the code was wrong.
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in E:
fizixrichard — 2012-02-03T10:47:13-05:00 — #5
Just try this and see what happens:
// Put that $_GET into a variable
$parentcat = $_GET['cat'];
// Echo it out so that you can see precisely whats in that variable
echo("Cat: " . $parentcat);
$r = mysql_query("select * from sub_category where ((parent_Category='$parentcat') AND (sub_Active='1')) order by sub_Id DESC");
Now, what I've done there, is move that GET into a variable, and we are outputting that variable to the screen so we know exactly whats in there (if there are any characters that could be throwing it up). You obviously wont do that in a production environment, but it can be useful just to test when something has gone wrong, so remove it completely after you know whats up.
Then using '' around your variables in your query.
This SQL is NOT secure though, you need to do as cups has said and escape that variable, but put the GET into a variable and escape it from there, NOT directly in the query.
The reason you want to put it into a variable is because you will want to validate that whatever is put in is what you would expect to be put in, the escape will help prevent against SQL Injection, but there are other things you want to protect against, you should always validate/cleanse incoming variables properly.
csu_bill — 2012-02-03T12:47:08-05:00 — #6
If the PHP code is wrong, it may not be in that line. Look at the previous lines or errors. Maybe if you post a larger selection of your code, someone could spot an error.