WHERE clause confusion

3 posts by 2 authors in: Forums > CMS Builder
Last Post: July 29, 2009   (RSS)

Re: [Mr Jim] WHERE clause confusion

By Dave - July 29, 2009

Hi Jim,

If you have some comfort with SQL you can see the SQL code being generated by CMSB by adding this option:
'debugSql' => true,

It's really handy to see what's going on and where problems might be.

In this case there's three things to keep in mind:
1) PHP only replaces variables in double quoted strings (not single quoted strings)
2) MySQL requires values be in quoted strings (single or double)
3) You should escape any user form input to avoid SQL injection attacks

Try this:
$escapedDept = mysql_real_escape_string( @$_GET['dept'] );

This will escape quotes in the input (preventing SQL injection) and the @ supresses the "undefined index 'dept'" error that you'd get in the event the link didn't have ?dept= in it.

And this:
'where' => "department = '$escapedDept' ",

Which will replace the variable name with it's value and still have it quoted for MySQL.

Hope that helps! Let me know if that works for you.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] WHERE clause confusion

By MisterJim - July 29, 2009

Dave,

I understand. Thank you for the lesson.

Your code worked perfectly. Much appreciated.

Jim
WebCamp One, LLC



Websites That Work