6

I am retrieving values from the url with the GET method and then using a if statement to determine of they are there then query them against the database to only show those items that match them, i get an unknown error with your request. here is my code

$province = $_GET['province'];
$city = $_GET['city'];

if(isset($province) && isset($city) ) {         
  $results3 = mysql_query("SELECT * 
                            FROM generalinfo 
                           WHERE province = $province 
                             AND city = $city  ") 
                       or die( "An unknown error occurred with your request");          
} else {             
  $results3 = mysql_query("SELECT * FROM generalinfo");  
} /*if statement ends*/
Improve this question

1 Answer 1

Reset to default
6

You need single-quotes round your strings in SQL:

"SELECT * FROM generalinfo WHERE province='$province' AND city='$city'"

Note that constructing the query in this way could leave you at risk of an SQL injection vulnerabillity. Consider using mysql_real_escape_string instead.

"SELECT * FROM generalinfo WHERE province='" .
mysql_real_escape_string($province) . "' AND city='" .
mysql_real_escape_string($city) . "'"
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

+1 because the only correct way to deal with user input is to escape it.
+1 answer without a security hole in it. Consider also parameterised queries (mysqli/PDO).
Thanks for the quick response and this worked perfectly and I included the escapes option.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.