3

Spent several hours searching for an answer without success. I've written a user-defined function in MySQL which is passed an identifier which it uses to retrieve various pieces of data, concatenate it into one string and return it. I want to call this function from my PHP page and output the result.

Unsuccessful attempts include: 

1. $result = mysql_query("select functionName($id)"); 

2. $sql = "select functionName($id)";
   $result = mysql_query($sql, $link);

3. functionName($id)

Any ideas?

Improve this question
4
  • Do you refer to a stored procedure? If so.. you need to call YourSP() Commented Jan 25, 2011 at 16:14
  • You are on the right track with (1) and (2). What sort of error messages are you receiving? Does the query work just fine when you run it in a MySQL query tool? Commented Jan 25, 2011 at 16:14
  • Solutions 1 and 2 do the same thing and should work Commented Jan 25, 2011 at 16:15
  • where is the functionName() written? Commented Dec 21, 2011 at 16:29

2 Answers 2

Reset to default
1

1 and 2 are close, but $result is not going to contain the result of the function call. Rather, it is going to contain the result cookie from the query. You can use that cookie to get the actual data, with mysql_fetch_row(). The function call just returns a value for the select statement, just the same as "SELECT 42" or "SELECT a FROM MyTable". So to get the result you would use the same mechanism as with any other SQL query that returns results; that is, use the cookie and call mysql_fetch_row(). So your final code will look like this:

$result = mysql_query("select functionName($id)");
$row = mysql_fetch_row($result, $link);
$returnValue = $row[0];

Note that you don't want to be interpolating variables directly into an SQL string (that can be a vector for attacks). I assume, however, that this code is just for example purposes.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The value of $id has been passed from the previous search selection page to identify the record the user wants to access. What's the safe way for me to do this?
@Chelle: use mysql_real_escape_string() on the value of $id: $sql = "select functionName(" . mysql_real_escape_string($id, $link) . ")" and then use $sql in mysql_query()
your method for sanitising $id is not adequate; consider for example the behaviour if $id contains 3) FROM Users WHERE 1 = 1 -- (the resulting query is select functionName(3) FROM Users WHERE 1 = 1 -- ); the function is run once for every row in table Users, if it exists).
@Hammerite: good catch. preg_match() is a good next step. It's been a while since I've done webdev, so I missed this vector.
0

I had the same question and found this very useful write up from devx, particulary the part at the bottom about calling MySQL functions:

http://www.devx.com/webdev/Article/42887/0/page/2

With regards to mysqli, my code is now as follows:

$result = mysqli_query($sqlconnection,"SELECT functionName($id)");
$row = mysqli_fetch_row($result);
return $row[0];

works perfectly.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.