Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
fetch items from a row
4 views
Skip to first unread message
richard
May 3, 2013, 3:55:58 PM5/3/13
to
How would I change the '42' value to a string value based upon the value
retrieved from using $_GET('number')?
<?php
$result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
if (!$result) {
echo 'Could not run query: ' . mysql_error();
exit;
}
$row = mysql_fetch_row($result);
echo $row[0]; // 42
echo $row[1]; // the email value
?>
Salvatore
May 3, 2013, 4:18:21 PM5/3/13
to
On 2013-05-03, richard <nor...@example.com> wrote:
>
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
> [snip]
>
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
What do you mean by this? Do you want the value "42" cast as a string?
--
Blah blah bleh...
GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
Message has been deleted
Denis McMahon
May 3, 2013, 4:47:26 PM5/3/13
to
$_GET is not a function, $_GET('number') is invalid syntax.
$_GET['number'] will return the string from the get request that was
prefixed with "(?|&)number= up to but not including the end of the
request or the next "&" whichever comes first.
If you're trying to use the string value as a numeric value in a query,
then you may not want to put quotes round it in the query string:
select * from table where column = '42'; // looks for a string
select * from table where column = 42; // looks for a number
As the value you get from the request is a string, and the sql command is
a string, you could just copy the string value across, or you could force
it to a number and back in the process, which might be slightly slower,
but would be a lot safer:
num = -1;
if (isset($_GET['number'])) num = intval($_GET['number'])
if ( num > 0 ) {
sql = "select * from table where column = {$num}";
}
else {
// handle invalid number here
}
But all of this presumes that your issue is that you are comparing a
string value with an integer field, and that's why you're not getting the
result you expect - however you really haven't presented enough
information about the problem - and if your issue is a mysql one, perhaps
you need to ask in a mysql group.
--
Denis McMahon, denismf...@gmail.com
Richard Yates
May 3, 2013, 5:00:30 PM5/3/13
to
On Fri, 3 May 2013 15:55:58 -0400, richard <nor...@example.com>
wrote:
Your question is a little confusing. It sounds like you are GETting an
integer and want to use it in the mysql query there the id is stored
as a string in the database.
$number = $_GET['number'];
$result = mysql_query("select id, email from people where id='$number'
";
But I also wonder why your id numbers in the database are stored as
strings and not as integer primary keys (which they seem to be).
wrote:
integer and want to use it in the mysql query there the id is stored
as a string in the database.
$number = $_GET['number'];
$result = mysql_query("select id, email from people where id='$number'
";
But I also wonder why your id numbers in the database are stored as
strings and not as integer primary keys (which they seem to be).
Scott Johnson
May 3, 2013, 5:21:31 PM5/3/13
to
URI query no matter the value.
And the MySQL results will return a string as well whether it is as an
integer or string.
I would double check that in the mysql ng.
Lew Pitcher
May 3, 2013, 5:38:08 PM5/3/13
to
On Friday 03 May 2013 17:00, in comp.lang.php, ric...@yatesguitar.com
wrote:
> On Fri, 3 May 2013 15:55:58 -0400, richard <nor...@example.com>
> wrote:
>
>>
>>How would I change the '42' value to a string value based upon the value
>>retrieved from using $_GET('number')?
>>
>>
>><?php
>>$result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>>}
>>$row = mysql_fetch_row($result);
>>
>>echo $row[0]; // 42
>>echo $row[1]; // the email value
>>?>
>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";
Have you met little Bobby Tables (http://xkcd.com/327/) ?
The PHP documentation webpages have a slightly better suggestion for this
sort of query...
From http://www.php.net/manual/en/function.mysql-query.php
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
--
Lew Pitcher
"In Skills, We Trust"
wrote:
> On Fri, 3 May 2013 15:55:58 -0400, richard <nor...@example.com>
> wrote:
>
>>
>>How would I change the '42' value to a string value based upon the value
>>retrieved from using $_GET('number')?
>>
>>
>><?php
>>$result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>>}
>>$row = mysql_fetch_row($result);
>>
>>echo $row[0]; // 42
>>echo $row[1]; // the email value
>>?>
>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";
The PHP documentation webpages have a slightly better suggestion for this
sort of query...
From http://www.php.net/manual/en/function.mysql-query.php
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
--
Lew Pitcher
"In Skills, We Trust"
Richard Yates
May 3, 2013, 6:15:38 PM5/3/13
to
input would be validated, etc. But, the poster is clearly struggling
with the simplest elements of php/mysql and, to learn that part,
needed only the simplest answer to his question.
SwissCheese
May 4, 2013, 5:56:50 AM5/4/13
to
multi-statement queries.
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
The Natural Philosopher
May 4, 2013, 6:05:06 AM5/4/13
to
On 03/05/13 20:55, richard wrote:
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
$_GET['number'] IIRC...
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
>
> <?php
> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
> if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42
> echo $row[1]; // the email value
> ?>
$result = mysql_query("SELECT id,email FROM people WHERE id = '<?echo $_GET['number']?>'");
> <?php
> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
> if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42
> echo $row[1]; // the email value
> ?>
with usual caveats about SQL injection etc.
I tend to use - sprintf as in
$query=sprintf("SELECT id,email FROM people WHERE id = '%d'"
,$_GET['number'])
$result = mysql_query($query);
to make sure what's in there is only a decimal number.
-- Ineptocracy (in-ep-toc’-ra-cy) – a system of government where the
least capable to lead are elected by the least capable of producing, and
where the members of society least likely to sustain themselves or
succeed, are rewarded with goods and services paid for by the
confiscated wealth of a diminishing number of producers.
The Natural Philosopher
May 4, 2013, 6:06:19 AM5/4/13
to
numeric field.
The Natural Philosopher
May 4, 2013, 6:08:00 AM5/4/13
to
Mladen Gogala
Aug 4, 2013, 1:06:01 PM8/4/13
to
On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
> More likely:
>
> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
> $_GET['number'] . "'");
And the code like that is the basis for all SQL injection attacks. It's
so frequent that even comic strips have been written about it:
http://xkcd.com/327/
If you have such code in the client facing application, prepare to meet
little Bobby Tables.
--
Mladen Gogala
The Oracle Whisperer
http://mgogala.byethost5.com
> More likely:
>
> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
> $_GET['number'] . "'");
And the code like that is the basis for all SQL injection attacks. It's
so frequent that even comic strips have been written about it:
http://xkcd.com/327/
If you have such code in the client facing application, prepare to meet
little Bobby Tables.
--
Mladen Gogala
The Oracle Whisperer
http://mgogala.byethost5.com
Message has been deleted
The Natural Philosopher
Aug 4, 2013, 5:27:01 PM8/4/13
to
On 04/08/13 18:06, Mladen Gogala wrote:
> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>
>> More likely:
>>
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>> $_GET['number'] . "'");
> And the code like that is the basis for all SQL injection attacks. It's
> so frequent that even comic strips have been written about it:
>
> http://xkcd.com/327/
>
> If you have such code in the client facing application, prepare to meet
> little Bobby Tables.
>
>
avoided simply by :
> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>
>> More likely:
>>
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>> $_GET['number'] . "'");
> And the code like that is the basis for all SQL injection attacks. It's
> so frequent that even comic strips have been written about it:
>
> http://xkcd.com/327/
>
> If you have such code in the client facing application, prepare to meet
> little Bobby Tables.
>
>
$result = mysql_query(sprintf("SELECT id,email FROM people WHERE id = '%d'",
$_GET['number'] ));
Using sprintf not only makes everything to look reasonable at code
inspection level it self validates stuff that should be a number and
gurantees only a number.
Likewise either escape strings or hexify them.
It isn't rocket science.
Message has been deleted
Denis McMahon
Aug 4, 2013, 8:19:30 PM8/4/13
to
On Fri, 03 May 2013 15:55:58 -0400, richard wrote:
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
$_GET isn't a function, it's an associative array.
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
If you're trying to read the "number" parameter of a get request, you use:
$_GET['number'];
or:
$_GET["number"];
The type of brackets is very important, although in this specific case,
the type of quote marks is less important than it is at other times.
> <?php $result = mysql_query("SELECT id,email FROM people WHERE id =
> '42'"); if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42 echo $row[1]; // the email value ?>
If you want to output the email address for a specific id number that
comes from a get request, which I think is what you mean:
<?php
$num = 0;
$if isset( $_GET["number"] ) $num = intval( $_GET["number"] );
$sql = "SELECT email FROM people WHERE id = '{$num}'";
$result = mysql_query( sql );
if ( !$result ) {
echo "mysql query \"{$sql}\" failed with: " . mysql_error() . "\n";
} else {
$rows = mysql_num_rows( $result );
if ( $rows != 1 ) {
echo "Unexpected result from sql query \"{$sql}\", {$rows} rows
returned when 1 row expected!\n";
} else {
$row = mysql_fetch_row($result);
if ( $row ) {
echo "Email address is: {$result[0]}\n";
} else {
echo "No email address found for that ID number\n";
}
}
}
--
Denis McMahon, denismf...@gmail.com
Jerry Stuckle
Aug 4, 2013, 10:09:40 PM8/4/13
to
On 8/4/2013 5:27 PM, The Natural Philosopher wrote:
> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id =
> '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.
>
Which gives incorrect results if the value isn't an integer. It is much
> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id =
> '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.
>
better to validate the data and, if it is incorrect (i.e. in this case,
not an integer), provide an error message instead of incorrect results.
But then only a programmer would know that.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================
0 new messages