Using a variable to hold a table name, and using that variable in queries

Question

i've the next code to construct my variable:

 $idProvincia=$_GET["ciudad"];

The table name will change according to the $idProvincia value. Table name:

 $post="wp_".$idProvincia."_post";

and i want to include the $post variable into the query:

$result = mysql_query ("SELECT post.ID, post.post_title, post.guid, post.post_content, postmeta.meta_value, postmeta.meta_key
FROM `".$post."` AS post
INNER JOIN wp_".$idProvincia."_postmeta AS postmeta ON post.ID = postmeta.post_id
WHERE postmeta.meta_key='fc_start_datetime' AND post.post_status='publish' AND post.post_type='post'
ORDER BY postmeta.meta_value ") or die (mysql_error());

I can't get the correct result. I've read a lot of manuales but i can't get the query functional.

I want to do the same query procedure for more variables

Please STOP! and read this: http://stackoverflow.com/questions/732561/why-is-using-a-mysql-prepared-statement-more-secure-than-using-the-common-escape and then this: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php Even if you get that code to work you are just asking for trouble from a security perspective. — Brad Peabody, Aug 12 '13 at 09:06
@bgp I know the injection issues, i'm just trying to make it work, i'll change it later, there is no reason to vote negative, i just need to know how to concatenate and make it work ok — n4h1n, Aug 12 '13 at 09:11
___Warning___ your code is vulnerable to sql injection and you are using an obsolete api ..either use PDO or mysqli check this http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189 — NullPoiиteя, Aug 12 '13 at 09:11
@n4h1n Fair enough. I suggest stating that up front in the question then - as you can see the response. Not my negative vote though, for the record. — Brad Peabody, Aug 12 '13 at 09:16
@bgp OK! sorry for my bad response. I'm very tied to the place where i work and i cannot change certain stuff. — n4h1n, Aug 12 '13 at 10:05

score 0 · Accepted Answer · answered Aug 12 '13 at 09:10

0

You should move that idProvincia thing into table body, not name.

Add a field named idProvincia to table wp_post and then add this number usual way:

$ciudad = mysql_real_escape_string($_GET["ciudad"]);
$sql = "SELECT post.ID, post.post_title, post.guid, post.post_content,
               postmeta.meta_value, postmeta.meta_key
FROM wp_post AS post
INNER JOIN wp_postmeta AS postmeta ON post.ID = postmeta.post_id
WHERE postmeta.meta_key='fc_start_datetime' AND post.post_status='publish' AND post.post_type='post' AND idProvincia = '$ciudad'
ORDER BY postmeta.meta_value "
$result = mysql_query ($sql) or trigger_error(mysql_error());

answered Aug 12 '13 at 09:10

Your Common Sense

156,878
40
214
345

I cannot add the idProvincia to the table wp_post. The $idProvincia value will change and the querys must change too – n4h1n Aug 12 '13 at 09:20
yes yes. that's why it is added to the query. this is how SQL works: you have to store data in the table body, not in the table name – Your Common Sense Aug 12 '13 at 09:23

Using a variable to hold a table name, and using that variable in queries

1 Answers1