ansaurus

Question

SQL: Select * from

Answer 1

A:

or just don't use any condition, e.g.:

select * from tablename

dusoft 2009-09-24 14:40:44

what's the downvote for? any rational reason? i doubt so

dusoft 2009-09-24 14:58:04

Answer 2

A:

$v = $_GET['id];
if($v== -1)
   $var = '' //here i want to select all recods
else
   #var = 'WHERE id= ' + $v  //select record recod with specifinc id

//execure the SQL query now

select * from tablename $var

Jorge Córdoba 2009-09-24 14:40:55

will fail! as there still would be "where" clause

dusoft 2009-09-24 14:41:29

Erm ... right, now should work.

Jorge Córdoba 2009-09-24 14:44:14

Answer 3

A:

You could always set the variable to NULL.

SELECT * FROM table WHERE (ID = @Var or @Var IS NULL)

FYI, in SQL don't compare something to null using x=NULL since Null has no value, it cannot equal anything.

Pulsehead 2009-09-24 14:41:10

Answer 4

+4 A:

You need to construct your sql string depending on the value of V.

If V = *

select * from table

if V != *

select * fronm table WHERE id = $v

KB22 2009-09-24 14:41:14

Answer 5

+4 A:

$v = $_GET['id];
if($v== -1)
   $var = 'id' //here i want to select all recods
else
   #var = $v  //select record recod with specifinc id

//execure the SQL query now
select * from tablename where id= $var

The query would look like:

SELECT * FROM tablename WHERE id = id

Lukasz Lysik 2009-09-24 14:41:37

Answer 6

A:

You can't do this the way you are trying to approach it. The asterisk is a wildcard, but it doesn't apply in comparisons in where clauses. You should use one of the approaches listed here.

Chris Dwyer 2009-09-24 14:43:09

(-1) Of course you can! Just don't think of '*' as an asterisk but as just a generic string value. See my answer below.

Workshop Alex 2009-09-24 14:57:38

Really? I'm referring to how the asker was using the asterisk in the where clause. It seems that your method below just works for whatever character you want to use. I think it is better for the asker to have a correct understanding of asterisk than to enable an obvious false understanding he/she has of it.

Chris Dwyer 2009-09-24 15:16:51

Answer 7

A:

select * from tablename where (id= $var) or ($var='*')

($var='*') evaluates to true for every row, thus it would select all rows. Or it will evaluate to false, in which case only those records are selected where (id = $var).

For those who don't get it, I'm not comparing to * but to a string constant. I could have used any value instead of '*' but this just looks more clear. I could also use:

select * from tablename where (id= $var) or ($var=-1)

Which basically has the same effect. Either the first or the second condition evaluates to true. If you want all records, just make sure the second validation is true by assigning '*' or -1 to $var, depending on the piece of code you use...

And since some people still don't understand why this works, here's what the query translates to when $var gets the value '*':

select * from tablename where (id= '*') or ('*'='*')

Because the second comparison translates to true, all rows result in true for this where clause.

And if $var has the value 20, it translates to:

select * from tablename where (id= '20') or ('20'='*')

And in this case, the latter comparison translates to false, but the first one will be true for all records where id equals 20.

Workshop Alex 2009-09-24 14:45:59

He is not trying to get id = $var OR $var = '*'. He wants to get ALL results if no id is specified.

bisko 2009-09-24 14:48:09

And he will get all results this way!

Workshop Alex 2009-09-24 14:48:56

Only those equaling to '*' not all :)For example:1,2,3,4,5,*,15,10 your query would return only '*' not all.

bisko 2009-09-24 15:29:27

@bisko, have you even tried this query or is this pure ignorance? I don't compare id with '*' but the variable with '*'. As a result, it validates to true for every record. $var is not a field but a parameter!

Workshop Alex 2009-09-24 17:44:11

bisko he is right :)

JonH 2009-09-25 15:08:27

@JonH, who is right, exactly? Bisko or me? If I'm right, upvote me! :-)

Workshop Alex 2009-09-25 15:58:54

Answer 8

+4 A:

You could use

if(isset($_GET['id'])){
   $v = $_GET['id'];
   $sql_statement = "select * from tablename where id=".mysql_real_escape_string($v);
} else {
   $sql_statement = "select * from tablename";
}
// then do your sql business here

liam 2009-09-24 14:46:00

(-1) This will make you vulnerable to SQL injections!

Workshop Alex 2009-09-24 15:01:30

Okay, edited to use mysql_real_escape_string()

liam 2009-09-24 15:04:33

That's better. :-) Removed -1. Would actually like to do a +1 but it's somehow to old to vote on.

Workshop Alex 2009-09-24 15:09:17

don’t use mysql_real_escape_string on integeres. cast to int, and you will be save: (int)$id or intval($id)

knittl 2009-09-24 15:25:29

Answer 9

+1 A:

The * should never be used when writing SQL. Make certain you list out all column names that are needed. Even if you need 50 column names list them out.

Using SELECT * is bad practice imho. Don't be lazy write clean code!

JonH 2009-09-24 15:01:37

Answer 10

A:

It seems to me the easiest solution would be:

$v = $_GET['id'];
$query = 'select * from tablename';

if( is_numeric($v) && ($v>0) )
   $query .= ' where id=' . $v;

//execute the query

Just add the WHERE clause when necessary.

If the input is not expected to be numeric you will need to escape it or - even better - use a prepared statement (mysqli or pdo).

jeroen 2009-09-24 15:16:47

ansaurus

tags:

views:

answers:

SQL: Select * from

related questions