3

I'm passing an argument to my php code using a web brower in the following format:

www.site.php?age=1&sex=2

Then in the code accessing those arguments:

'age' => $_GET['age']
'sex' => $_GET['sex']

One argument needs to be a set of comma separated values (ie, "1,2,3,4,5"). When I do the following, only the first value gets interpreted:

www.site.php?age=1&sex=2&nums=1,2,3,4,5

I've tried with parens, brackets, etc., which all break the code. Any thoughts? Thanks,

EDIT: I incorrectly assumed when the error occurred. The error occurs when trying to actually make the sql call:

This works:

$sql = <<<SQL
    SELECT * from db
    WHERE age=:age AND nums in (1,2)
SQL;
$query = $dbs['base']['connection']->prepare($sql);

$query->execute(array(
    ':age'      => $_GET['age'],

));

But it fails when I pass in the nums:

$sql = <<<SQL
    SELECT * from db
    WHERE age=:age AND nums in (:nums)
SQL;
$query->execute(array(
        ':age'      => $_GET['age'],
            ':nums'  => $_GET['nums']
    ));

When I just print $_GET['nums'], the comma separated values come in just fine. How can I properly pass the 'nums' argument to the sql query?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
mike
  • 22,931
  • 31
  • 77
  • 100

5 Answers5

1

Did you try urlencode?

// set
$nums = urlencode(join(',', array(1,2,3,4,5)));

// get
$nums = explode(',', urldecode($_GET['nums']));
// i think needs sanitize
$nums = array_map('intval', $nums);
Kerem
  • 11,377
  • 5
  • 59
  • 58
  • The screen just prints "array" when I try that:$nums = explode(',', urldecode($_GET['nums'])); print($nums); What am I missing? – mike Jan 26 '13 at 03:25
  • But when I just do $nums = urldecode($_GET['causes']), I get "1,2,3,4,5" – mike Jan 26 '13 at 03:26
  • Yes, but you need to filter `$nums` for security. After filter, can use `join()` to get `1,2,3`. – Kerem Jan 26 '13 at 20:21
1

Convert the comma's into something more friendly on the sending page

$nums = "1,2,3,4,5";
$nums = str_replace(',','|',$nums);

In the page receiving the GET do the following:

$nums = str_replace('|',',',$nums);
Jason Small
  • 1,064
  • 1
  • 13
  • 29
0

URL encode the commas if you want a string?

www.site.php?age=1&sex=2&nums=1%2C2%2C3%2C4%2C5

Also, HTTP has an array format for parameters that PHP could interpret automatically for you. I forget the syntax offhand, but it's pretty straightforward.

Edit 2: Nevermind, you want the string.

Tim
  • 1,011
  • 6
  • 12
0

Not clear on why a test like this doesn’t work for you. Note the <pre> and print_r() are strictly there for debugging. explode(',', $_GET['nums']) is the key.

echo '<pre>';
$nums_array = explode(',', $_GET['nums']);
print_r($nums_array);
echo '</pre>';

Maybe you need to share part of the parsing code with us to better understand?

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
0

With your current database interface, you can't. It uses prepared statements. Your list will be converted into a string, thus no longer be a value list to the IN clause.

This is why I'm for example using something like this:

db("SELECT * from t1 WHERE id=? AND x IN (??)", $id, $array);

You'll however have to manually create some ?,?,?,?,? placeholders 1, depending on the input list length (after the mentioned explode, or better str_getcsv splitting). And yes you need enumerated parameters, not :named ones.

1 Precisely because it's boring/tedious I'm not providing sample code here.

mario
  • 144,265
  • 20
  • 237
  • 291