WHERE gid=$gid LIMIT 26 not working?

I may not have the best query within query going here and if someone can teach me a better way that would be appreciated.

But with what i do have i cant seem to work out why the LIMIT command doesn't work?

I am LIMITING the thumbnails to 26 but i get 38?

Very weird.

If it helps any, i can say that the gallery table has 7 published gallerys , so there would be 7 id's coming from there, and i was hoping the next query would loop through the photo table and return all the photos with the id's from the 7 galleries i queried above right?

Well theres my code if any one can make sense of it..

<?php

// Check if gallery is published

$query1 = "SELECT id,status FROM gallery WHERE status=1";
$result1 = mysql_query($query1) or die(mysql_error()); 
while($row1 = mysql_fetch_array( $result1 )) { 

$gid = $row1['id'];

// now get the photo file names based on the above published gallery ids

$query2 = "SELECT id,uid,gid,image,origimage FROM photo WHERE gid='$gid' LIMIT 20";
$result2 = mysql_query($query2) or die(mysql_error()); 
while($row2 = mysql_fetch_array( $result2 )) {

?>


<div style="float:l开发者_如何学Goeft;">
<a class="featureGrid" href="public-photo-user.html?uid=<?php echo $row2['uid']; ?>&gid=<?php echo $row2['gid']; ?>&id=<?php echo $row2['id'];?>">
<img  src="media/users/croppedthumbs/<?php echo $row2['uid']; ?>/<?php echo $row2['gid'] ?>/<?php echo $row2['image']; ?>" /> 
</a>
</div>

<?php }} ?>  

Thanks to any one that can help shed light on this or suggest / teach me a better way.

Cheers. John

You're doing multiple queries, each of which is individually limited to 20.

Instead, combine the queries into a single query using a join. It's more efficient than looping multiple queries, and you can put the limit on the combined results:

SELECT photo.id, photo.uid, photo.gid, photo.image, photo.origimage
FROM photo JOIN gallery ON gallery.id=photo.gid
WHERE gallery.status=1
LIMIT 20

You should also always be careful to use mysql_real_escape_string() when putting values into query strings, or you'll get SQL-injection security holes. Similarly, all text you output into the HTML page must be encoded using htmlspecialchars() to avoid markup-injection, and data inserted into a URL part should be encoded with rawurlencode().

ETA:

Can you link me to an example of mysql_real_escape_string combined with htmlspecialchars.

Well, if you were still doing it, this:

$query2 = "SELECT id,uid,gid,image,origimage FROM photo WHERE gid='$gid' LIMIT 20";

Would need the $gid in it to be escaped, otherwise any apostrophe (or potentially backslash) in the value would cause it to blow up.

$query2 = "SELECT id,uid,gid,image,origimage FROM photo WHERE gid='".mysql_real_escape_string($gid)."' LIMIT 20";

Then:

href="public-photo-user.html?uid=<?php echo $row2['uid']; ?>...

would be vulnerable if the uid value contained a double quote, and would also fail for other assorted characters that aren't valid to put in a URL.

Possibly you can be sure that your IDs never contain punctuation, but any other values might do, so it's best to always use the appropriate encoding any time you insert a string of text into another context like SQL, HTML or URL.

Typing mysql_real_escape_string and htmlspecialchars all the time is a bit tedious, though, so I tend to define shortcut functions like:

function m($str) { return "'".mysql_real_escape_string($str)."'"; }
function h($str) { echo htmlspecialchars($str); }
function u($str) { echo rawurlencode($str); }

Which can be used like:

$query2 = "SELECT id,uid,gid,image,origimage FROM photo WHERE gid=".m($gid)." LIMIT 20";

Hello, <?php h($name); ?>

<a class="featureGrid" href="public-photo-user.html?uid=<?php u($row2['uid']); ?>&amp;gid=<?php u($row2['gid']); ?>&amp;id=<?php u($row2['id']); ?>">

(note also & in an attribute value should be escaped to & for HTML validity and reliability.)

You have multiple galleries with a status of 1, and hence are going through the inner loop more than once.