0

why i can't use this code ? and could anyone tell me what is the correct code ?

$lfr_prfid = "profile='$log_id'";

$lfrsql = "SELECT * FROM friends WHERE user2='$log_id' AND accepted='1'";
$lfrquery = mysqli_query($db_conx, $lfrsql);

while ($lfrrow = mysqli_fetch_array($lfrquery, MYSQLI_ASSOC)) {

$lfr_id = $lfrrow["id"];
$lfr_user1 = $lfrrow["user1"];
$lfr_user2 = $lfrrow["user2"];

$lfr_prfid += " OR profile='".$lfr_user1."'";

}

the last line i wrote this ( += ) and the code doesn't work so how can i do this in another way ? so i can use this in a SELECT statement .

$psql = "SELECT * FROM posts WHERE ".$lfr_prfid." ORDER BY postdate DESC LIMIT 0,20";
$pquery = mysqli_query($db_conx, $psql);
Improve this question
3
  • Read about PHP's operators. The string operators would be relevant in this case. Commented Nov 23, 2013 at 19:26
  • You urgently need to read up on proper SQL escaping because this thing is riddled with SQL injection bugs. The bind_param method makes this safe and reliable. Commented Nov 23, 2013 at 20:20
  • Please accept the most helpful answer by clicking the checkmark to to the left of the answer, underneath the voting arrows. This will also award you some reputation points. If you haven't taken the SO tour, check it out here: stackoverflow.com/tour. Commented Jan 24, 2014 at 5:38

2 Answers 2

Reset to default
4

$lfr_prfid.=

Concatenate with . not with +. The + is concatenation in javascript.

so, in php: $myVar.= 'foo';

and in javascript: myVar+= 'foo';

Update based on your edit:

Please, DO NOT use that in a database query. Use prepared statements or your code is dangerous.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

why it is dangerous ?
Read about prepared statements. It's more likely than not that someone could get use sql injection to do anything they want with your database. @Master
thanks very much , but is there another way to do that statement ?
@Master prepared statements. Google it.
@Master wrap the whole statement in this method: mysqli_real_escape_string() Or use prepared statements as m59 mentioned
|
2

Change your code to:

$lfr_prfid .= " OR profile='".$lfr_user1."'";

Concatenation in PHP is done with ., not with += as you have written.

Hope this helps!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.