2

I have a DB table. I want to make a text input where the user can input the "uid" and the query will return the row associated with that uid.

So let's say I have something like this:

$query = "SELECT name,age FROM people WHERE uid = '2' LIMIT 0,1";
$result = mysql_query($query);
$res = mysql_fetch_assoc($result);

echo $res["age"];

how would I modify that query to something like..

SELECT name, age 
  FROM people 
 WHERE uid = $_POST['blahblah'] LIMIT 0,1

Thanks in advance for your help!

Improve this question

4 Answers 4

Reset to default
5

In reality...

// Read input from $_POST
$uid = (isset($_POST['uid']) ? $_POST['uid'] : '');

// Build query.  Properly escape input data.
$query = 
  "SELECT name,age " .
  "FROM people " .
  "WHERE uid = '" . mysql_real_escape_string($uid) . "' " . 
  "LIMIT 0,1";

Its advisable to escape characters in the variable for security reasons. Take a look at this document for some of the reasons:

http://en.wikipedia.org/wiki/SQL_injection

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Or why not switching to PDO + use prepared statements to make it safe from SQL injection?
3

To save from SQL injection attack, use:

$search_query = mysql_real_escape_string($_POST['blahblah']);

$query  = "SELECT name, age FROM people WHERE uid = '".$search_query."' LIMIT 0 , 1";
Improve this answer

Comments

0

There are so many ways to do the same But first escape it and store it in one variable

$blahblah = mysql_real_escape_string($_POST['blahblah']);

And then There are

First: As @Mett Lo mentioned:

$query = "SELECT name,age FROM people WHERE uid = '" . $blahblah . "' LIMIT 0,1";

Second:

$query = "SELECT name,age FROM people WHERE uid = '{$blahblah}' LIMIT 0,1";

Third: 

$query = "SELECT name,age FROM people WHERE uid = '$blahblah' LIMIT 0,1";

and if blahblah is an int value in db table then Fourth:

$query = "SELECT name,age FROM people WHERE uid = $blahblah LIMIT 0,1";
Improve this answer

2 Comments

for my own educational purposes, why was this -1ed? also, i was under the impression that if a string was enclosed in double quotes it you could insert a variable with no quotes. is this true, or is that only for echos? i appreciate your suggestions/answers.
@HiggsBoson who did -1 they should add comment. If you have mentioned something as int in db table then you need not to put quotes around that variable. More over adding quotes affects to data insert speed. But where db table have varchar or char columns or date or other than int then you must enclose it with ("") double quotes
0

You may use the sprintf function to create the query.

$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
         $_POST['blahblah'] );

The rest will be the same. It is highly recommended that you escape the $_POST data before running the query to prevent SQL attacks. You may re phrase the query as follows.

$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
         mysql_escape_string($_POST['blahblah']) );
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.