ansaurus

Question

PHP Variable in Select Statement

Answer 1

+2 A:

Please post in English. Everyone else does.
Try using a different fetch method - fetch an associative array, then use the dynamic parameter to retrieve whatever column it is you need.
Have you considered using PDO?

tdammers 2010-08-13 10:52:17

I also suggest using PDO. It is much more better.

Yorirou 2010-08-13 11:10:26

Answer 2

A:

Wouldn't this work?

$result = mysql_fetch_array($query);

echo trim($result['name']);

Andrei Serdeliuc 2010-08-13 11:02:09

Answer 3

+1 A:

Is it this you're looking for? Even your question in German isn't that clear to me :

$field = 'name';
$query = mysql_query("SELECT $field FROM contacts WHERE contact_id='". mysql_real_escape_string( $id ) ."' and user_id='1';");
$retval = mysql_fetch_object($query)->$field;

wimvds 2010-08-13 11:02:26

yes i'm looking for this. would it work this way?

mikep 2010-08-13 11:03:33

here goes an sql injection...

Col. Shrapnel 2010-08-13 11:03:58

@Col. Shrapnel: Depends on where $field comes from and if it's properly escaped.

dbemerlin 2010-08-13 11:06:08

@Col. Shrapnel: Not as is, if he just gets the $name from a GET/POST var without checking, then yes you have a point.

wimvds 2010-08-13 11:07:01

@dbemerlin oh can you tell me how to properly escape?

Col. Shrapnel 2010-08-13 11:07:24

Why on earth is there a "$retval = $retval = " on the last line? (Also, why not just use mysql_real_escape_string around $field?)

middaparka 2010-08-13 11:19:42

@middaparka because mysql_real_escape_string would help nothing

Col. Shrapnel 2010-08-13 11:22:08

@Col. Shrapnel - Why not? As long as the $field and $id variables are escaped there's a basic level of protection in place.

middaparka 2010-08-13 11:27:20

@middaparka: That was a stupid copy/paste error on my part. Corrected.

wimvds 2010-08-13 11:29:23

@middaparka because you do not understand what does this function do. `$field = "Billy Joe";`. Go escape it.

Col. Shrapnel 2010-08-13 11:32:16

@Col. Shrapnel: Don't be a smartass, have a look at your code below, and compare it to what I posted without assuming things that the OP didn't even ask for. Can you tell me what "script.php?id=Billy%20Joe" would actually do on your code snippet? btw `SELECT *` is evil, you should NEVER, EVER use it.

wimvds 2010-08-13 11:37:18

But I am. I am ass but I am smart and proud of it. It will merely return no rows. what's wrong with it? And you looks ridiculous with that "NEVER, EVER use it!!!111" mindless prayer when talking of selecting just a single row. Everyone who repeat it, have ten thousand times worst holes in their code. Every friggin one.

Col. Shrapnel 2010-08-13 11:42:04

I beg my pardon for the tone. But i jut hate to see improper solutions. escaping works only within quoted strings. That's the way it works. It wouldn't help with field name where you can't use quotes. So, one who doing it that way, lays a trap for themselves.

Col. Shrapnel 2010-08-13 12:13:32

Answer 4

A:

You should never put a variable into field list.
If want a variable field name, select * and then use your variable to fetch particular field

<?php
require_once 'config.php';

$id = mysql_real_escape_string($_GET["id"]); //ID DES DERZEITIGEN KONTAKTES
$user = $_GET["user"];  //ID DES DERZEITIGEN USERS

$query  = "SELECT * FROM contacts WHERE contact_id='$id' and user_id='1'";
$result = mysql_query($query) or trigger_error(mysql_error().$query);

$row = mysql_fetch_array($result);

//and finally
$fieldname = "name";
$retval = $row[$fieldname];

echo $retval;
?>

Col. Shrapnel 2010-08-13 11:03:38

yes i could do it this way to, you'r right, but the query should be "SELECT * FROM contacts WHERE contact_id='$id' and user_id='1'" instead "SELECT name FROM contacts WHERE contact_id='$id' and user_id='1'".

mikep 2010-08-13 11:08:41

@mikep yes, my bad. edited that.

Col. Shrapnel 2010-08-13 11:09:27

Answer 5

+1 A:

I believe you are confusing matters (unintentionally) due to your use of the word 'row'. Judging by your example you mean field/column. It sounds like you wish to specify the fields to select using a variable which can be done by any of these methods...

$fields = "name, age";

$sql = "SELECT $fields FROM table";
$sql = "SELECT {$fields} FROM table";
$sql = "SELECT ".$fields." FROM table";

NB it is important that you have secure date in the $fields element, I would suggest using a whitelist of allowed values i.e.

// assuming $_POST['fields'] looks something like array('name','age','hack');
$allowed = array('name', 'age');
$fields = array();

foreach ($_POST['fields'] as $field) {
   if (in_array($field, $allowed)) {
      $fields[] = $field;
   }
$fields = implode(', ', $fields);

Cags 2010-08-13 11:09:12

i've tried this: ".$fields." but it doesn't work for me, so i use this one $fields

mikep 2010-08-13 11:14:03

mikep, all three solutions I gave work perfectly fine, if you had problems implementing it, then that's because your implementation was messed up, most like by messing up single/double quoted strings. It is perfectly valid PHP.

Cags 2010-08-13 11:24:39

hmmm ok will try it.

mikep 2010-08-13 11:26:57

ansaurus

tags:

views:

answers:

PHP Variable in Select Statement

related questions