stackoom
  简体   繁体   中英

PHP mysql SELECT QUERY with an Or

 原文  2011-11-18 13:08:36       php/ mysql/ select

Question

mysql_query("SELECT * FROM foo WHERE id ='$foo' OR id = '$foo2");

This doesn't work.

Basically, I want to be able to select it where the id is one variable's value OR another one's.

Thanks.

EDIT: The ID column is numerical.

3 answers

solution1
 3  2011-11-18 13:11:00

I think you forgot the last ' character 

mysql_query("SELECT * FROM foo WHERE id ='$foo' OR id = '$foo2'");

but because the id column is numerical, you should use: 

mysql_query("SELECT * FROM foo WHERE id = $foo OR id = $foo2");

solution2
 3 ACCPTED  2011-11-18 13:16:30

As others have said and you confirmed, the problem is that you are using string literals to compare to a numeric column. To have it work, the query should look like 

mysql_query("SELECT * FROM foo WHERE id =$foo OR id = $foo2");

However, this solution has very very bad code smell!

First off, this is why IN exists: to be able to write 

mysql_query("SELECT * FROM foo WHERE id IN ($foo, $foo2)");

And second, are you injecting unescaped strings into your query? If you are, your code is vulnerable to sql injection ! Escape and quote your variables to be safe, like this (in the general case): 

$query = sprintf("SELECT * FROM foo WHERE id IN ('%s', '%s')",
                 mysql_real_escape_string($foo),
                 mysql_real_escape_string($foo2));
mysql_query($query);

or alternatively like this, since in this specific scenario you know we 're talking about integer values: 

$query = sprintf("SELECT * FROM foo WHERE id IN (%s, %s)",
                 intval($foo), intval($foo2));
mysql_query($query);

Footnote: I am aware that when using sprintf like this, one could also handle integer values by just using %d instead if %s as the format specifier. However, I believe that proving you are correctly escaping variables should be possible by just looking at one place (the parameter list) instead of multiple places (did I use intval on the variable? or maybe I did not, but I 'm using %d in the format string so I 'm still OK?). It may sound counter-intuitive, but it's more robust in the face of modifications.

solution3
 0  2011-11-18 13:16:32

Try this: 

mysql_query(sprintf("SELECT * FROM foo WHERE id = %s OR id = %s", $foo, $foo2));

I recommend you use mysql_error() for get mysql errors(if exists). 

mysql_query( .. ) or die('Erro:'.mysql_error());

the mysql_error returns the last error occurred in mysql.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php mysql select query Mysql PHP Query select PHP MySQL Select query MYSQL select query in PHP select query inside in select query php mysql PHP/MySQL select query issues Php Mysql select query not working PHP Mysql Select query with BETWEEN Php array into mysql select query mysql select distinct query in PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM