0

In my code I'm trying to accept input through a webpage from the user and create SQL query by dynamically creating where clause based on the input from the user. However it looks like I'm unable to correctly concatenate strings.

$whereclause .= "AND niche ='".$niche."'";

$result = mysql_query("SELECT * FROM merc WHERE 1 = 1".$whereclause."") or die('Could not connect: ' . mysql_error());
tshepang
  • 12,111
  • 21
  • 91
  • 136
Amit
  • 3
  • 1
  • 6
    Welcome to Stack Overflow! [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – ThiefMaster Oct 16 '13 at 16:35
  • You're missing a space between the 1 and the whereclause. – aynber Oct 16 '13 at 16:38
  • 1
    **By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started, and [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. – Andy Lester Oct 16 '13 at 17:12
  • @AndyLester can you tell, what is your favorite and why when considering `ADO/PDO/ODBC`? – mpapec Oct 16 '13 at 17:37
  • I have no preference. I've always used PDO but you may have different needs. The key is to stop building SQL statements from untrusted data. – Andy Lester Oct 16 '13 at 18:51

2 Answers2

1

You should avoid SQL Injection conditions while writing queries and use mysqli or PDO_mysql instead of mysql.

Try following query:

$result = mysql_query("SELECT * FROM merc WHERE 1 = 1 ".$whereclause."") or die('Could not connect: ' . mysql_error());

space was missing in your query.

Nishu Tayal
  • 20,106
  • 8
  • 49
  • 101
0

A space is missing.

$whereclause = "AND niche = '".mysqli_real_escape_string($niche)."'";
$result = mysqli_query("SELECT * FROM merc WHERE 1 = 1 ".$whereclause") or die('Could not connect: ' . mysqli_error());

Make sure when getting input from a user it is not passed unmolested to MySQL. Doing otherwise will open the application up to a ton of problems, most specifically SQL Injection. Also, the mysql_* functions have been deprecated. Moving to mysqli_* is highly suggested.

SamA
  • 587
  • 3
  • 6
  • Hi SamA, Thanks for the help. When i use your code i get these errors Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given Warning: mysqli_query() expects at least 2 parameters, 1 given Warning: mysqli_error() expects exactly 1 parameter, 0 given – Amit Oct 17 '13 at 04:35
  • PHP.net has a great set of docs on all functions. Turns out to use the mysqli query function procedurally, one needs to call it like this "mysqli::query". See docs here: http://php.net/manual/en/mysqli.query.php – SamA Oct 17 '13 at 15:45