开发者

if function inside sql query?

问答 作者: 
function get_tags_by_criteria($gender_id, $country_id, $region_id, $city_id, $day_of_birth=NULL, $tag_id=NULL, $thread_id=NULL) {

    $query = "SELECT tags.*
        FROM tags, thread_tag_map, threads
        WHERE thread_tag_map.thread_id = threads.id
        AND thread_tag_map.tag_id = tags.id

        AND threads.gender_id = $gender_id
        AND threads.country_id = $country_id
        AND threads.region_id = $region_id
        AND threads.city_id = $city_id
        AND tags.id LIKE '%$tag_id%'
        AND threads.id LIKE '%$thread_id%'";
        if(!$day_of_birth)
        {
            $query += "AND threads.min_day_of_birth <= '$day_of_birth AND threads.max_day_of_birth >= '$day_of_birth' ";
        }

        $query += "GROUP BY tags.name";

    $result = $this->do_query($query);
    return $result;
}

if no $day_of_birth is passed as an argument i want the sql to omit the 2 lines inside the if. i used:

$all_tags = $forum_model->get_tags_by_criteria(1, 1, 0, 0);

i wonder why this sql returns a error:

Couldn't execute query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' 开发者_如何学Cat line 1

You're using the addition (+=) operator when you should be using the concatenation (.=) operator.

You should be escaping your inputs too, to avoid SQL injection - see mysql_real_escape_string()

there's missing white space between " and AND in appended string

Your problem is that you left out a ' by the date of birth.

Change it to AND threads.min_day_of_birth <= '$day_of_birth' (Note closing ' and opening )
Also, as others have pointed out, you should write $query .= instead of $query += (note .)

You have a SQL Injection vulnerability; you should use parameters.
Remember Bobby Tables!

.= is used for string concatenation in PHP, not +=

You can also use placeholders in your query. If an option/parameter is set the script sets the contents of the placeholder to the appropriate sql code otherwise the placeholder is empty/null.

e.g.

function get_tags_by_criteria($gender_id, $country_id, $region_id, $city_id, $day_of_birth=NULL, $tag_id=NULL, $thread_id=NULL) {
  if ( !is_null($day_of_birth) ) {
    $day_of_birth = "AND ('$day_of_birth' BETWEEN threads.min_day_of_birth AND threads.max_day_of_birth)"
  }

  $query = "
    SELECT
      tags.*
    FROM
      tags, thread_tag_map, threads
    WHERE
      thread_tag_map.thread_id = threads.id
      AND thread_tag_map.tag_id = tags.id
      AND threads.gender_id = $gender_id
      AND threads.country_id = $country_id
      AND threads.region_id = $region_id
      AND threads.city_id = $city_id
      AND tags.id LIKE '%$tag_id%'
      AND threads.id LIKE '%$thread_id%'
      {$day_of_birth}
    GROUP BY
      tags.name
  ";

  $result = $this->do_query($query);
  return $result;
}

edit: as mentioned before: keep the possible sql injection in mind.

继续阅读:phpsql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9