smarty -sql query - where id clause is the result of another query

Question

For partner data, I need the partner id to coresponds to the pid from the contract result. I got the query result from contract data, got the contract data, then i need that the partner.id to be the contract.pid. When saving this, I get this error:

Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

require "$_SERVER[DOCUMENT_ROOT]/billing/server/Smarty/libs/Smarty.class.php";
require_once "$_SERVER[DOCUMENT_ROOT]/common/server/engine.php";

// required args 
$cbid = $_GET['cbid'];
//$smarty->force_compile = true;
$smarty->debugging = true;
$smarty->caching = true;
$smarty->cache_lifetime = 120;

// ------- contract data ------
$sql = "
SELECT *
FROM billing.contract_body
JOIN billing.contract_stub ON stub=contract_stub.id
WHERE contract_body.id=$cbid    

 ";
$result = mysql_query($sql) or die ("Query failed : " . mysql_error());
while ($contract = mysql_fetch_assoc($result))
 {
$value[] = $contract;
 }
$smarty->assign('contract', $value);




 // ------- partner data ------
$sql = "
SELECT *
FROM common.partner
    WHERE partner.id=$contract[pid] 

    ";
$result = mysql_query($sql) or die ("Query failed : " . mysql_error());
while ($partner = mysql_fetch_assoc($result))
 {
$value[] = $partner;

 }

Answer 1

There are a few possible problems:

1) You should probably use {} when interpolating array elements in a php string. I think different (older) versions of php handle the cases without {} differently (it's hard to get references to documentation on older versions of php). The value could easily be interpreted as '', which would result in a sql error. You could confirm this by printing out the actual sql string being executed - if the value is missing this would be the problem. I personally always use the { } syntax for every expression other than simple variables " $myvar "

2) $contract[pid] is probably not valid. pid would be interpreted as a constant (DEFINE) (which may resolve to 'pid'). I'm guessing you meant this: $contract['pid']. Unfortunately the php documentation is not consistent in this - some samples show the use without quotes and some parts explicitly point out the problem:

"Always use quotes around a string literal array index. For example, $foo['bar'] is correct, while $foo[bar] is not. But why? It is common to encounter this kind of syntax in old scripts:"

http://php.net/manual/en/language.types.array.php

3) it's appropriate to put single quotes around the value in the sql equals comparison. where table.column = 'value'; It may work without, depending on data types involved.

4) your code is subject to sql injection. You're using the cbid value from the $_GET parameters without sanitizing them or using query parameters.

So try this:

" ... where partner.id='{$contract['pid']}' "

and please fix your sql injection :) The best approach is to use query parameters which avoids much of your problem with string interpolation in the first place. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php