mysql_query("SELECT * FROM foo WHERE id ='$foo' OR id = '$foo2");
This doesn't work.
Basically, I want to be able to select it where the id is one variable's value OR another one's.
Thanks.
EDIT: The ID column is numerical.
I think you forgot the last ' character
mysql_query("SELECT * FROM foo WHERE id ='$foo' OR id = '$foo2'");
but because the id column is numerical, you should use:
mysql_query("SELECT * FROM foo WHERE id = $foo OR id = $foo2");
As others have said and you confirmed, the problem is that you are using string literals to compare to a numeric column. To have it work, the query should look like
mysql_query("SELECT * FROM foo WHERE id =$foo OR id = $foo2");
However, this solution has very very bad code smell!
First off, this is why IN
exists: to be able to write
mysql_query("SELECT * FROM foo WHERE id IN ($foo, $foo2)");
And second, are you injecting unescaped strings into your query? If you are, your code is vulnerable to sql injection ! Escape and quote your variables to be safe, like this (in the general case):
$query = sprintf("SELECT * FROM foo WHERE id IN ('%s', '%s')",
mysql_real_escape_string($foo),
mysql_real_escape_string($foo2));
mysql_query($query);
or alternatively like this, since in this specific scenario you know we 're talking about integer values:
$query = sprintf("SELECT * FROM foo WHERE id IN (%s, %s)",
intval($foo), intval($foo2));
mysql_query($query);
Footnote: I am aware that when using sprintf
like this, one could also handle integer values by just using %d
instead if %s
as the format specifier. However, I believe that proving you are correctly escaping variables should be possible by just looking at one place (the parameter list) instead of multiple places (did I use intval
on the variable? or maybe I did not, but I 'm using %d
in the format string so I 'm still OK?). It may sound counter-intuitive, but it's more robust in the face of modifications.
Try this:
mysql_query(sprintf("SELECT * FROM foo WHERE id = %s OR id = %s", $foo, $foo2));
I recommend you use mysql_error() for get mysql errors(if exists).
mysql_query( .. ) or die('Erro:'.mysql_error());
the mysql_error returns the last error occurred in mysql.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.