0 
function get_tags_by_criteria($gender_id, $country_id, $region_id, $city_id, $day_of_birth=NULL, $tag_id=NULL, $thread_id=NULL) {

    $query = "SELECT tags.*
        FROM tags, thread_tag_map, threads
        WHERE thread_tag_map.thread_id = threads.id
        AND thread_tag_map.tag_id = tags.id

        AND threads.gender_id = $gender_id
        AND threads.country_id = $country_id
        AND threads.region_id = $region_id
        AND threads.city_id = $city_id
        AND tags.id LIKE '%$tag_id%'
        AND threads.id LIKE '%$thread_id%'";
        if(!$day_of_birth)
        {
            $query += "AND threads.min_day_of_birth <= '$day_of_birth AND threads.max_day_of_birth >= '$day_of_birth' ";
        }

        $query += "GROUP BY tags.name";

    $result = $this->do_query($query);
    return $result;
}

if no $day_of_birth is passed as an argument i want the sql to omit the 2 lines inside the if. i used:

$all_tags = $forum_model->get_tags_by_criteria(1, 1, 0, 0);

i wonder why this sql returns a error:

Couldn't execute query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' at line 1
Improve this question
2
  • 1
    what does teh final query look like? echo $query; Commented Dec 9, 2009 at 16:53
  • +1 to Galen, simply echoing the query would have enlightened you to a lot of the problems people below have pointed out. Commented Dec 9, 2009 at 16:57

5 Answers 5

Reset to default
2

You're using the addition (+=) operator when you should be using the concatenation (.=) operator.

You should be escaping your inputs too, to avoid SQL injection - see mysql_real_escape_string()

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

there's missing white space between " and AND in appended string

Improve this answer

Comments

1

Your problem is that you left out a ' by the date of birth.

Change it to AND threads.min_day_of_birth <= '$day_of_birth' (Note closing ' and opening )
Also, as others have pointed out, you should write $query .= instead of $query += (note .)

You have a SQL Injection vulnerability; you should use parameters.
Remember Bobby Tables!

Improve this answer

1 Comment

LOL, that Bobby Tables bit is quite funny! Thanks for the good laugh :).
0

.= is used for string concatenation in PHP, not +=

Improve this answer

1 Comment

also put a space before the and in the if statement
0

You can also use placeholders in your query. If an option/parameter is set the script sets the contents of the placeholder to the appropriate sql code otherwise the placeholder is empty/null.

e.g.

function get_tags_by_criteria($gender_id, $country_id, $region_id, $city_id, $day_of_birth=NULL, $tag_id=NULL, $thread_id=NULL) {
  if ( !is_null($day_of_birth) ) {
    $day_of_birth = "AND ('$day_of_birth' BETWEEN threads.min_day_of_birth AND threads.max_day_of_birth)"
  }

  $query = "
    SELECT
      tags.*
    FROM
      tags, thread_tag_map, threads
    WHERE
      thread_tag_map.thread_id = threads.id
      AND thread_tag_map.tag_id = tags.id
      AND threads.gender_id = $gender_id
      AND threads.country_id = $country_id
      AND threads.region_id = $region_id
      AND threads.city_id = $city_id
      AND tags.id LIKE '%$tag_id%'
      AND threads.id LIKE '%$thread_id%'
      {$day_of_birth}
    GROUP BY
      tags.name
  ";

  $result = $this->do_query($query);
  return $result;
}

edit: as mentioned before: keep the possible sql injection in mind.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.