tags:

views:

95

answers:

5
Q: 

if function inside sql query? 

function get_tags_by_criteria($gender_id, $country_id, $region_id, $city_id, $day_of_birth=NULL, $tag_id=NULL, $thread_id=NULL) {

 $query = "SELECT tags.*
        FROM tags, thread_tag_map, threads
        WHERE thread_tag_map.thread_id = threads.id
        AND thread_tag_map.tag_id = tags.id

        AND threads.gender_id = $gender_id
        AND threads.country_id = $country_id
        AND threads.region_id = $region_id
        AND threads.city_id = $city_id
        AND tags.id LIKE '%$tag_id%'
        AND threads.id LIKE '%$thread_id%'";
        if(!$day_of_birth)
        {
            $query += "AND threads.min_day_of_birth <= '$day_of_birth AND threads.max_day_of_birth >= '$day_of_birth' ";
        }

        $query += "GROUP BY tags.name";

 $result = $this->do_query($query);
 return $result;
}

if no $day_of_birth is passed as an argument i want the sql to omit the 2 lines inside the if. i used:

$all_tags = $forum_model->get_tags_by_criteria(1, 1, 0, 0);

i wonder why this sql returns a error:

Couldn't execute query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' at line 1
A: 

.= is used for string concatenation in PHP, not +=

Simon  2009-12-09 16:53:41
also put a space before the and in the if statement
Galen  2009-12-09 16:54:46
+2  A: 

You're using the addition (+=) operator when you should be using the concatenation (.=) operator.

You should be escaping your inputs too, to avoid SQL injection - see mysql_real_escape_string()

Greg  2009-12-09 16:54:02
+1  A: 

Your problem is that you left out a ' by the date of birth.

Change it to AND threads.min_day_of_birth <= '$day_of_birth' (Note closing ' and opening )
Also, as others have pointed out, you should write $query .= instead of $query += (note .)

You have a SQL Injection vulnerability; you should use parameters.
Remember Bobby Tables!

SLaks  2009-12-09 16:55:03
LOL, that Bobby Tables bit is quite funny! Thanks for the good laugh :).
dcp  2009-12-09 16:57:52
Bobby Tables? Whats that?
never_had_a_name  2009-12-09 22:01:48
Click the link.
SLaks  2009-12-09 23:18:28
http://xkcd.com/327/
SLaks  2009-12-09 23:18:58
+1  A: 

there's missing white space between " and AND in appended string

yedpodtrzitko  2009-12-09 16:55:15
A: 

You can also use placeholders in your query. If an option/parameter is set the script sets the contents of the placeholder to the appropriate sql code otherwise the placeholder is empty/null.

e.g.

function get_tags_by_criteria($gender_id, $country_id, $region_id, $city_id, $day_of_birth=NULL, $tag_id=NULL, $thread_id=NULL) {
  if ( !is_null($day_of_birth) ) {
    $day_of_birth = "AND ('$day_of_birth' BETWEEN threads.min_day_of_birth AND threads.max_day_of_birth)"
  }

  $query = "
    SELECT
      tags.*
    FROM
      tags, thread_tag_map, threads
    WHERE
      thread_tag_map.thread_id = threads.id
      AND thread_tag_map.tag_id = tags.id
      AND threads.gender_id = $gender_id
      AND threads.country_id = $country_id
      AND threads.region_id = $region_id
      AND threads.city_id = $city_id
      AND tags.id LIKE '%$tag_id%'
      AND threads.id LIKE '%$thread_id%'
      {$day_of_birth}
    GROUP BY
      tags.name
  ";

  $result = $this->do_query($query);
  return $result;
}

edit: as mentioned before: keep the possible sql injection in mind.

VolkerK  2009-12-09 17:09:06

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL