gulliver2011 — 2011-09-05T12:32:51-04:00 — #1
ok so I am having a bit of a dilema - I am trying to build a list of Primary Categories and Secondary categories sitting underneath the relevant Primary.
- High Heels
- Gym Shoes
It has all gone ok I have built the list of Primary categories (the query for which lives in a controller file else where that calls in the file I am about to show).
This is the page that the code generates Search although currently has an echo of the query in it.
#2486457 - Pastie
My problem is (I think) - that this query does not seem to work.
$secresult = mysqli_query($link, "SELECT secondarytubes.categoryname FROM secondarytubes INNER JOIN primarytubes ON primaryid = primarytubes.id WHERE primaryid = '$primaryCatid' ");
I personally think it is the $primaryCatid at the end as if I change this to a numerical value to represent an id eg. 1 and run it through my database directly it all works.
Anyway been on with this almost all day and stuck.
scallioxtx — 2011-09-05T18:37:17-04:00 — #2
That's no problem, you can do that in MySQL. See MySQL :: MySQL 5.5 Reference Manual :: 5.3.1 General Security Guidelines
A common mistake is to protect only string data values. Remember to check numeric data as well. If an application generates a query such as SELECT * FROM table WHERE ID=234 when a user enters the value 234, the user can enter the value 234 OR 1=1 to cause the application to generate the query SELECT * FROM table WHERE ID=234 OR 1=1. As a result, the server retrieves every row in the table. This exposes every row and causes excessive server load. The simplest way to protect from this type of attack is to use single quotation marks around the numeric constants: SELECT * FROM table WHERE ID='234'. If the user enters extra information, it all becomes part of the string. In a numeric context, MySQL automatically converts this string to a number and strips any trailing nonnumeric characters from it.
I don't believe it's standard SQL-2003 though.
Anyway, are you sure $primaryCatid has a value, i.e. have you tried
or similar, and did it show a value? If it shows a value, are you sure there a products there (i.e. have you tried the value 1 which should give results as per your tests)?
mittineague — 2011-09-05T12:46:18-04:00 — #3
If $primaryCatid is numeric, why is it inside quotes?