PHP and MySQL Select Based on Column Contents

Forum Moderators: coopster

Message Too Old, No Replies

PHP and MySQL Select Based on Column Contents

mehh

7:27 pm on Mar 22, 2007 (gmt 0)

When I set up my site I devoted some time to mysql but I found the numerous different ways for meting information from mysql databases infuriating so i just stuck with what i thought best. i ended up with something like this:


$result = mysql_query("SELECT * FROM xyz");
while($row = mysql_fetch_array($result))
 {
 if($input==$row['abc'])
 {
 //code here
 }
 }

Is there a better (more secure, faster, etc) way of doing this?

joelgreen

7:30 pm on Mar 22, 2007 (gmt 0)

$result = mysql_query("SELECT * FROM xyz where abc = {$input}");
while($row = mysql_fetch_array($result)) {
//here you will have only rows having abc = $input
// just process them

echo $row['someColumnName'];

}

mehh

7:00 pm on Mar 23, 2007 (gmt 0)

I'm getting the results based on user input so isn't that venerable to an SQL injection attack

eelixduppy

7:04 pm on Mar 23, 2007 (gmt 0)

It is vunerable if not properly handled. It would look something like this:


$result = mysql_query("SELECT * FROM xyz where abc = '".[url=http://www.php.net/mysql-real-escape-string]mysql_real_escape_string[/url]($input)."'");

This properly escapes characters in the variable that could potentially be used for mysql injection.

mehh

7:06 pm on Mar 23, 2007 (gmt 0)

Thanks