Syntax Error

Forum Moderators: coopster

Message Too Old, No Replies

Syntax Error

paseo

6:43 pm on Feb 1, 2007 (gmt 0)

Is it possible to use both Where and Order by in the same statement. Im pretty sure you can but i cant seem to get hte syntax right. Bewlos is the line im refering to:

$qry = "SELECT * FROM `$table` order by `$_GET[sortby]` desc limit $StartFrom, $Limit" WHERE `username` = "'.$session->username.'"';

jatar_k

6:48 pm on Feb 1, 2007 (gmt 0)

take a look at the SELECT Syntax [dev.mysql.com]

your where needs to be first and then you order and limit

eelixduppy

8:21 pm on Feb 1, 2007 (gmt 0)

Don't forget to also escape your variables [us2.php.net]!

ericjust

2:39 am on Feb 5, 2007 (gmt 0)

Use `` for table names and fields
Use '' for values

ESCAPE YOUR VARIABLES!

$table = addslashes($table);
$sortby = addslashes($_GET['sortby']);
$StartFrom = addslashes($StartFrom);
$Limit = addslashes($Limit);
$username = addslashes($session->username);

$qry = "SELECT * FROM `{$table}` WHERE `username` = '{$username}' ORDER BY `{$sortby}` DESC LIMIT {$StartFrom}, {$Limit};";

It's never a good idea to put $_GET variables directly into your SQL queries.

If you are using magic quotes - don't. If you were to move your code to another server where it wasn't enabled then your code would be open to SQL injection attacks.

eelixduppy

8:10 pm on Feb 5, 2007 (gmt 0)

ericjust, addslashes should not be used for escaping variables for use in a mysql query. Instead, you should use mysql_real_escape_string (my link above) or mysql_escape_string.

I just thought I'd let you know in case you are using addslashes.

...and glad to have you around here :)

ericjust

8:40 pm on Feb 5, 2007 (gmt 0)

eelixduppy,

Thanks for the advice. You're right.

Syntax Error

paseo

jatar_k

eelixduppy

ericjust

eelixduppy

ericjust

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week