开发者

Why isn't this simple PHP/MySQL code working?

I am very new to php/mysql and this is causing me to loose hairs, I am trying to build a multi level site navigation. In this part of my script I am readying the sub and parent categories coming from a form for insertion into the database:

// get child categories
$catFields = $_POST['categories'];

if (is_array($catFields)) {
  $categories = $categories;

  for ($i=0; $i<count($catFields); $i++) {
    $categories = $categories . $catFields[$i];
  }
}

// get parent category    
$select = mysql_query ("SELECT parent FROM categories WHERE id = $categories");

while ($return = mysql_fetch_assoc($select)) {    
  $parentId = $return['parent'];
}

The first part of my script works fine, i开发者_开发百科t grabs all the categories that the user has chosen to assign a post by checking the checkboxes in a form and readies it for insertion into the database.

But the second part does not work and I can't understand why. I am trying to match a category with a parent that is stored in it's own table, but it returns nothing even though the categories all have parents. Can anyone tell me why this is?

p.s. The $categories variable contains the sub category id.


I can see a few bugs:

$categories = $categories;

should be

$categories = '';

Since there will be more than on categories you'll have to use the MySQL in clause as:

SELECT parent FROM categories WHERE id in ($categories)

for this to happen you'll have to make categories a comma separated list if ids by altering your for loop as:

for ($i=0; $i<count($catFields); $i++) 
    $categories .= "$catFields[$i],"; // append 'id,' to existing list.
trim($categories,','); // remove any trailing commas.


$categories seems like it would be a string with more than one value in it, which the SQL engine you're using isn't going to be able to use with just an = where condition. You probably need to change it so that your SQL looks something like WHERE id IN (1,2,3) where 1, 2, 3 etc are your id's that you want to match.


  1. AFAIK, $_POST is an array. Is $_POST['categories'] the data from a multi select html form element?

What kind of data are you sending in $_POST['categories']? How do you expect that to be an array? If you are encoding the data into an array like structure before submitting it to your PHP script, you may have to manually insert it into an array.

  1. Use

    $select = mysql_query ("SELECT parent FROM categories WHERE id IN (" . implode(",", $array) . ")");


And don't forget mysql_real_escape_string() in combination with quotes ' in your query, your corrent code is prone to SQL injection. Prepared statements (PDO or MySQLi) will to the trick as well.

But don't trust userinput!

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜