1

I'm trying to stuff a variable into a SQL query to return a value to a page.

$sql = 'SELECT account FROM users WHERE uid = arg(1)';

Where arg(1) = the user currently being viewed. I am outputting arg(1) at the top of the page, so I know it's there, but Drupal doesn't seem to want to take it. I've tried escaping several different ways. Below is the full code

  function accountselect_getclientaccount() {
      global $user;
      $sql = 'SELECT account FROM users WHERE uid = arg(1)';
      $result = db_result(db_query($sql));
    return $result;
  }
Improve this question

3 Answers 3

Reset to default
1

You could try:

$uid = arg(1);
$result = db_result(db_query("SELECT account FROM {users} WHERE uid = %d", $uid));
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

To avoid sql-injection, you should use placeholders (see db_query for more info):

$result = db_query("SELECT * FROM {users} WHERE uid = %d", arg(1));

Also note that db_result is meant for single-column, single-result queries. You probably want to use db_fetch_object. Additionally, there isn't a column in the users table called account.

Improve this answer

2 Comments

Thanks, jhedstrom - isn't the solution provided by anonymouse the same in terms of SQL injection attacks...? By the way, I am only trying to grab one value, and I have created a column named account. I know that's like pissing on the Drupal bible, but for the specific situation I wanted to use it for, it needed to go that way. Besides, I'm betting that the User table doesn't change that much...
It is the same as anonymouse's...I think we cross-posted those answers.
1 
function accountselect_getclientaccount() {
  return (arg(0) == 'user') ? db_result(db_query('SELECT account FROM {users} WHERE uid = %d', arg(1))) : FALSE;
  }

I don't know why you're using the global $user. Maybe you should be using $user->uid instead of arg(1)? This would save you checking arg(1) is actually a user ID.

This might be better:

function accountselect_getclientaccount($account) {
  return db_result(db_query('SELECT account FROM {users} WHERE uid = %d', $account->uid));
  }

Also: see the user hook. It might be best practice to return the 'account' col on the load operation (if you're not doing that already)

http://api.drupal.org/api/function/hook_user/6

Improve this answer

2 Comments

You're right, I didn't need global $user in the code. I removed it shortly after. As far as the $user->uid, that returns the uid of the currently logged in user. arg(1) returns the uid of the user whose account you are viewing. The purpose of the function is to load the users current account as default value in the select list. It was sort of a pain. What is 'load' operation? A user-edit state?
Edit is another state but you're kinda right. You would have loaded that account from that URL so you could write something like: function mymodule_user($op, &$edit, &$account, $category) { if($op == 'load') { //do something to $account } } It shouldn't be too hard if you hook into the API the right way :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.