通过if（！empty（$ _ GET for Wordpress

Question

I need to do a query for a wordpress plugin but I can't figure it out by mayself. I want to limit post by category ids and if not any category was given, than show all post. My sql is:

$sql = "
        SELECT $wpdb->posts.ID, $wpdb->posts.post_title, $wpdb->posts.post_content, $wpdb->posts.post_excerpt, $wpdb->posts.post_name
        FROM $wpdb->posts
        LEFT JOIN $wpdb->term_relationships ON
        ($wpdb->posts.ID = $wpdb->term_relationships.object_id)
        LEFT JOIN $wpdb->term_taxonomy ON
        ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id)
        WHERE $wpdb->posts.post_status = 'publish'
        AND $wpdb->posts.post_type = 'product'
        AND $wpdb->term_taxonomy.taxonomy = 'product_cat'".
        if(!empty($_GET["category"])) {
        "AND $wpdb->term_taxonomy.term_id = '".htmlspecialchars($_GET["category"])."'".
        }
        "ORDER BY post_date DESC";

As you can understand, I'm trying to get category id by url like &category=12 but thats giving me a blank page (no errors or like) could you guys help me with that?

Answer 1

You cannot concatenate statements into expressions . You can only concatenate expressions , so you'll have to use a ternary:

"AND $wpdb->term_taxonomy.taxonomy = 'product_cat'".
(!empty($_GET['category']) ? 
    "AND $wpdb->term_taxonomy.term_id = '". htmlspecialchars($_GET["category"]) . "'" : '')
. "rest of query";

But really, this isn't the way to query the DB (it's massively unsafe... honestly) and it's messy, and hellish to maintain, and you're not checking isset on the $_GET params.

Basically, everything that can (and likely should) contain a semi-colon, is a statement:

$foo = "bar";//statement

This simple assignment statement falls consists of several expressions , of which "bar" is one. This statement also happens to be an expression, but that's not the point. The point is that:

if ($condition)
{
    //STATEMENT(S)
}

is not an expression, so it can't be incorporated into a single statement (like in your case, an the assignmend of a query string to a variable called $sql ).

Warning

Your query is, as others have pointed out, vulnerable to injection . WP allows you to use prepared statements , and you really should do so:

$id = $_POST['some_value'];//check isset first, of course
$wpdb->query(
    $wpdb->prepare(
        'SELECT foo FROM bar WHERE id = %d',
        $id
    )
);

Answer 2

You can't put an if in the middle of a string. You can use the concatenating assignment operator to add to the $sql variable.

$sql = "SELECT $wpdb->posts.ID, $wpdb->posts.post_title, $wpdb->posts.post_content, $wpdb->posts.post_excerpt, $wpdb->posts.post_name
        FROM $wpdb->posts
        LEFT JOIN $wpdb->term_relationships ON
        ($wpdb->posts.ID = $wpdb->term_relationships.object_id)
        LEFT JOIN $wpdb->term_taxonomy ON
        ($wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id)
        WHERE $wpdb->posts.post_status = 'publish'
        AND $wpdb->posts.post_type = 'product'
        AND $wpdb->term_taxonomy.taxonomy = 'product_cat'";

if(!empty($_GET["category"])) {
    $sql .= " AND $wpdb->term_taxonomy.term_id = '".htmlspecialchars($_GET["category"], ENT_QUOTES)."'";
}

$sql .= " ORDER BY post_date DESC";

I also added the ENT_QUOTES flag to htmlspecialchars() to translate single quotes into ' . This would add protection from injections, not allowing people to put a single quote in and inject their own query.

Prepared Statements

Look at Elias' answer on using prepared statements with Wordpress. Prepared statements are much safer than relying on any in place function to validate input.

Answer 3

Thanks for all affords. @Devon's code worked very well. By the way, I'm editing XML Export script for Wordpress's Woocommerce plugin.

Original plugin link is: https://wordpress.org/plugins/beslist-xml-feed-voor-woocommerce/

And you can download edited version of this plugin here: https://github.com/eXspet/beslist-xml-edited

What I've changed:

• You can get XML feeds by category (with your helps, obviously)
• You can see gallery images for woocommerce product in XML file.
• You can see short & full description for every products
• You can show your default currency by changing <kur>USD</kur>
• You can view all XML feeds via wordpress admin panel.

I'm not a coder, so I don't know much about security, If you notice any security open in this plugin, please let me know. Thanks everyone, again.