0

i have this array and get it from from an url. this array is member id that i need to pass to mysql. 

$member_id = $_GET['member_id'];

the array like this : Array ( [0] => 1269 [1] => 385 )

how can i transfer this array into my mysql statement and make , become AND :

$answer_sql = mysql_query("SELECT tna_category. * , tna_question. *, tna_answer. * 
                        FROM tna_category, tna_question, tna_answer 
                        WHERE  tna_category.section_id = '$section_id1' 
                        AND tna_question.id = tna_answer.question_id AND tna_question.category_id = tna_category.id 
                        AND tna_answer.member_id = ['1269' , '385']
                        ORDER BY tna_answer.question_id");

should i put bracket?..

in this part : tna_answer.member_id = Array or $member_id

Improve this question
14
  • get teh array value by foreach and pass the query in foreach Commented Feb 4, 2014 at 5:36
  • Why shouldn't I use mysql_* functions in PHP? Commented Feb 4, 2014 at 5:37
  • how can i do foreach in Mysql. sorry can you teach me more. Commented Feb 4, 2014 at 5:38
  • Also, try tna_answer_member_id IN (1269, 385). See IN Commented Feb 4, 2014 at 5:38
  • i thought to that also. IN . thanks Phil Commented Feb 4, 2014 at 5:39

4 Answers 4

Reset to default
2

As others have said, you can use IN() but you are apparently open to SQL injection attacks as it is. You need to do this:

$escaped_ids = array_map('mysql_real_escape_string', $member_ids);

Or, if they are surely all integers

$escaped_ids = array_map('intval', $member_ids);

Then, you can write your query like:

$query = "SELECT tna_category. * , tna_question. *, tna_answer. * 
          FROM tna_category, tna_question, tna_answer 
          WHERE  tna_category.section_id = '" . mysql_real_escape_string($section_id1) . "' 
              AND tna_question.id = tna_answer.question_id 
              AND tna_question.category_id = tna_category.id 
              AND tna_answer.member_id IN (".implode(",", $escaped_ids).")
          ORDER BY tna_answer.question_id";

Never, never, never put unescaped values in your query.

Also, you should not be using the mysql_ functions anymore. Please consider using the mysqli_ functions instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Might as well sanitise $section_id1 too
Thanks, @Phil, I didn't notice it!
1

First split the array value, get no. of rows in the array value and pass the value one by one into the query by using for or foreach loop.

Improve this answer

Comments

1

try this

$member_id = $_GET['member_id'];

If you're already getting comma seprated values then there's no need to use explode function just use implode function in database query.

$member_id = explode(",", $member_id);

and then

answer_sql = mysql_query("SELECT tna_category. * , tna_question. *, tna_answer. * 
                        FROM tna_category, tna_question, tna_answer 
                        WHERE  tna_category.section_id = '$section_id1' 
                        AND tna_question.id = tna_answer.question_id AND tna_question.category_id = tna_category.id 
                        AND tna_answer.member_id IN (".implode(",", $member_id).")
                        ORDER BY tna_answer.question_id");

the explode function create array it depends on you explode value with comma OR space and then implode mean join these values with comma OR space. for more detail explode and implode.

Improve this answer

10 Comments

Considering the member_id array comes from external input, this is very unsafe
PDO or MySQLi, prepared statements and parameter binding. It's really the only safe way
Yet another reason not to use them
@Phil have you seen. OP using mysql_query so don't try to demotivate anyone else
@Phil you will protect them from mysql injection am i right?
|
-1

you can use IN clause of mysql like this

$your_array = array("0"=>"1269", "1"=>"385");


 $in_text = implode(",", $your_array);

   $sql = "SELECT tna_category. * , tna_question. *, tna_answer. * 
        FROM tna_category, tna_question, tna_answer 
        WHERE  tna_category.section_id = '$section_id1' 
               AND tna_question.id = tna_answer.question_id 
               AND tna_question.category_id = tna_category.id  
               AND tna_answer.member_id IN ($in_text)
               ORDER BY tna_answer.question_id";
Improve this answer

1 Comment

well.. this is offline website not online and it only used by one administrator.. cheers :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.