Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Jul 2011
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Smile Use variable as ID and request table from MySQL?

    Hello, I have been able to turn a multiple select option form into a php array in this form:

    PHP Code:
    <?php
     
    if(isset($_POST['select3'])) 
    {
      
    $aVenues $_POST['select3'];
     
      if(!isset(
    $aVenues))
      {
        echo(
    "<p>You didn't select any venues!</p>\n");
      }
      else
      {
        
    $nVenues count($aVenues);
     
        echo(
    "<p>You selected $nVenues venues: ");
        for(
    $i=0$i $nVenues$i++)
        {
          echo(
    $aVenues[$i] . " ");
        }
        echo(
    "</p>");
      }
    }
     
    ?>

    $aVenues is the individual numbers received from the form and $nVenues is the number of those received.

    Basically, what you get with this code is this:
    You selected 2 venues: 2 6

    The numbers 2 and 6 are id's sent from the form, and I would like to use these numbers to request the ID of a row in a database and make a simple table. How would I go about doing that?

    My Mysql is basic and all I came up with is this:


    PHP Code:
    $sql "SELECT * FROM some_database WHERE id IN ($aVenues)"


    Thanks everyone ))

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    26,184
    Thanks
    80
    Thanked 4,451 Times in 4,416 Posts
    Assuming that the id's are indeed numbers, then your code is correct.

    You just need to ensure that the PHP variable $aVenues contains a comma-delimited list of the numbers.

    That is, you would want the equivalent of
    Code:
    $aVenues = "2, 6";
    Since it would appear to me (a non-PHP person) that $aVenues is actually an array, all you need to do is convert the array to the delimited string.

    Again, not a PHP person, but...
    http://www.php.net/manual/en/function.implode.php

    So probably:
    Code:
    $sql = "SELECT * FROM some_database WHERE id IN (" . implode(",",$aVenues) . ")";
    No?
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    New Coder
    Join Date
    Jul 2011
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts
    You are the best, thanks!

  • #4
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    I'm not sure if using the implode would be the best idea from a security approach unless you first check the array to make sure it only contains numbers not say SQL. And if you are going to iterate over the array to check it you could build the string at the same time.
    OracleGuy

  • #5
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    26,184
    Thanks
    80
    Thanked 4,451 Times in 4,416 Posts
    Good point, though you could easily do something like this:
    Code:
    $list = implode(",", $aVenues);
    if ( preg_match("\'", $list) > 0 )
    {
        ... an attempt to do SQL injection ...
        ... abort ...
    }
    No?
    Only works for lists of numbers, of course.

    Not sure I have the "\'" right for the preg_match, but you get the idea.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •