Jump to content
dph1077

Php - Sql Where Clause

Recommended Posts

The worst thing about asking for help is when you know you are off by just a

few characters (my gut feeling anyway). My problem is trying to use an SQL

WHERE clause. The background to the situation is this. I've finally got my DB

up and running (yay!) and now what I am doing is creating page 'A' that allows

a user to put into a form a price (say 50 dollars). After clicking submit, it then

goes to the next page and scrubs through the DB to display only the values

that are less than the price inputted. It seems to work ok, but the 2nd page

doesn't display anything other than my html code. Using other code from a

sample page I know the DB is populated with 5 entries, so at least 1 should

show up. Here is the SQL statement that is wrong that I am using:

 

>$result = @mysql_query('SELECT * FROM tblproducts WHERE price <= ".$maxprice."');

 

HMMM, now that I think of it, the database is set up so the price field is a

Float (remembering from my C days that was the decimal one). Should it

be a different field type?

 

Sorry for the long question... any help is greatly appreciated... as usual! <_<

Share this post


Link to post
Share on other sites

I think you have the single and double quotes reversed, and I'm not sure why you have the dots on each side of the variable. I would try the following:

>$result = @mysql_query("SELECT * FROM tblproducts WHERE price <= '$maxprice'");

I don't know if your script code already handles this or not, but you should not trust what a user enters and directly include it in a MySQL query. This can leave your script vulnerable to MySQL injection attacks. I would modify the above query to the following to prevent this:

>$result = @mysql_query("SELECT * FROM tblproducts WHERE price <= '" . mysql_real_escape_string($maxprice) . "'");

Share this post


Link to post
Share on other sites

I knew it would be something easy that I was doing wrong. I had the

double & single quotes backwards. As for the periods, I had added them

when the first couple of tries didn't work and had seen them on some

site (can't remember which one) and was desperate to try anything. I

am very new to PHP and am in the process of reading a book at home

so I have no clue what the periods do anyway.

 

I will also look into using the modified version that you show to stop attacks. As usual, I am indebted to others for helping me find my way!

Share this post


Link to post
Share on other sites
As for the periods, I had added them when the first couple of tries didn't work and had seen them on some site (can't remember which one) and was desperate to try anything. I am very new to PHP and am in the process of reading a book at home so I have no clue what the periods do anyway. 

Outside of a string, the "." is the string concatenation operator (it joins strings together). For example:

>echo 'This ' . 'is ' . 'a ' . 'test.';

...is equivalent to:

>echo 'This is a test.';

Inside of a string, the "." is just a plain dot character. Because of the way your original query was written, the "." was a part of the string instead of outside of it, so it was behaving as an ordinary character.

Share this post


Link to post
Share on other sites
As for the periods, I had added them when the first couple of tries didn't work and had seen them on some site (can't remember which one) and was desperate to try anything. I am very new to PHP and am in the process of reading a book at home so I have no clue what the periods do anyway. 

Outside of a string, the "." is the string concatenation operator (it joins strings together). For example:

>echo 'This ' . 'is ' . 'a ' . 'test.';

...is equivalent to:

>echo 'This is a test.';

Inside of a string, the "." is just a plain dot character. Because of the way your original query was written, the "." was a part of the string instead of outside of it, so it was behaving as an ordinary character.

 

 

Thanks for the quick tutorial! It was a much easier subject than I thought.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...