1

I'm getting the results of an array using this

$arrayResults = $_GET;

$arr = $arrayResults;

and am then using this to get the variables:

foreach ($arr['seller'] as $seller) { 
  echo $seller;
}

which out puts value 1 value 2 value 3 but when I put that into a MySQL query it doesn't work so I need to get them into a string and ideally have something like this - "value 1" OR "value 2" OR "value 3"

This is the query I'm using

$sql_select = "SELECT * "; 
$sql_from = "from feeds,product_categories_map where feeds.seller =".dbstr( $seller )." and feeds.enabled=1 and feeds.stock=1 and feeds.deleted=0 and feeds.best_seller=1 and product_id=product_feed_id and product_feed_id!=1 ";
$sql_orderby = " ORDER BY rand()";
$sql_limit = " LIMIT 20";

    $query=$sql_select . $sql_from . $sql_group . $sql_orderby . $sql_limit;
    $product_results=dbselect( $query,"dbLinkInt" );

I'm not sure where I'm going wrong here.

Improve this question
4
  • I'm not sure where I'm going wrong here You are concatenate an array with a string Commented Feb 6, 2018 at 9:55
  • How do I fix that, sorry I'm very new to php - this is the firs time I've used it Commented Feb 6, 2018 at 9:57
  • Construct part of the query inside your foreach loop and then use it. However, you've got a massive security issue here known as MySQL injection and you should look into what prepared statements are as this code is not suitable for production Commented Feb 6, 2018 at 10:01
  • Please dont do this Commented Feb 6, 2018 at 10:03

3 Answers 3

Reset to default
2

Assuming that you've sanitize your input, you should just format your variable this way

$seller = implode("','", $arrayResults); //this format the array into comma separated string

Then change your query to:

$sql_from = "from feeds,product_categories_map where feeds.seller IN ('".$seller."') and feeds.enabled=1 and feeds.stock=1 and feeds.deleted=0 and feeds.best_seller=1 and product_id=product_feed_id and product_feed_id!=1 ";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
$sql_select = "SELECT * "; 
$sql_from = "from feeds,product_categories_map where feeds.seller =".dbstr( $seller )." and feeds.enabled=1 and feeds.stock=1 and feeds.deleted=0 and feeds.best_seller=1 and product_id=product_feed_id and product_feed_id!=1 ";
$sql_orderby = " ORDER BY rand()";
$sql_limit = " LIMIT 20";




$query = "SELECT * from feeds,product_categories_map where feeds.seller=%s and feeds.enabled=1 and feeds.stock=1 and feeds.deleted=0 and feeds.best_seller=1 and product_id=product_feed_id and product_feed_id!=1 ORDER BY rand()";

$query = sprintf($query, mysql_real_escape_string(dbstr($seller)) );

Please use sprintf method and mysql_real_escape_string. sprintf on its own will not protect you. Also you may look at an OO design.

All the best

Improve this answer

Comments

1

Your question seems to consist of two parts, and gives rise to a third issue:

1. Joining a number of array elements into a single string

PHP's implode function allows joining the elements of a given array with a given string.

For example:

$seller = array('value 1', 'value 2', 'value 3');
$seller_joined = "\"" . implode("\" OR \"", $seller) . "\"";
echo $seller_joined ;

Should echo:

"value 1" OR "value 2" OR "value 3"

2. Writing an SQL WHERE clause which checks whether a certain attribute equals one of a certain set of values

If you want to check whether a certain attribute equals one of a number of possible values, you should use the SQL IN operator, and separate the values by a comma instead of the keyword OR, e.g.:

$seller_joined = "\"" . implode("\", \"", $seller) . "\"";
$sql_from = "from feeds,product_categories_map where feeds.seller IN (". $seller_joined .") and feeds.enabled=1 and feeds.stock=1 and feeds.deleted=0 and feeds.best_seller=1 and product_id=product_feed_id and product_feed_id!=1 ";

3. Sanitizing input to the database

As suggested by the following answers, you should make sure you sanitize your strings before you pass them to the database, in order to prevent SQL injection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.