views:

75

answers:

1

I am retrieving values from the url with the GET method and then using a if statement to determine of they are there then query them against the database to only show those items that match them, i get an unknown error with your request. here is my code

$province = $_GET['province'];
$city = $_GET['city'];

if(isset($province) && isset($city) ) {         
  $results3 = mysql_query("SELECT * 
                            FROM generalinfo 
                           WHERE province = $province 
                             AND city = $city  ") 
                       or die( "An unknown error occurred with your request");          
} else {             
  $results3 = mysql_query("SELECT * FROM generalinfo");  
} /*if statement ends*/
+4  A: 

You need single-quotes round your strings in SQL:

"SELECT * FROM generalinfo WHERE province='$province' AND city='$city'"

Note that constructing the query in this way could leave you at risk of an SQL injection vulnerabillity. Consider using mysql_real_escape_string instead.

"SELECT * FROM generalinfo WHERE province='" .
mysql_real_escape_string($province) . "' AND city='" .
mysql_real_escape_string($city) . "'"
Mark Byers
+1 because the only correct way to deal with user input is to escape it.
Felix Kling
+1 answer without a security hole in it. Consider also parameterised queries (`mysqli`/PDO).
bobince
Thanks for the quick response and this worked perfectly and I included the escapes option.
Anders Kitson