1

Is there any way to shorten this code:

$resultCategoryName = mysql_query("SELECT ecname FROM electioncategorymaster WHERE ecid=".$Category);
$rowCategoryName = mysql_fetch_row($resultCategoryName);
$CategoryName = $rowCategoryName[0];
hakre
  • 193,403
  • 52
  • 435
  • 836
RKh
  • 13,818
  • 46
  • 152
  • 265
  • 1
    If you find a shorter way, see if that also supports using bind variables/placeholders. – Thilo Jan 18 '10 at 06:33
  • How about telling us why you want to "shorten" the code? Looks like you're chasing down things that are irrelevant, and missing the possible SQL injection in your script (depending on the lines before this). – hobodave Jan 18 '10 at 06:35
  • Not really. I want to eliminate the need of the last row. Just finding out ways to write better code. I am a PHP newbie. – RKh Jan 18 '10 at 06:38
  • 1
    One anti-brownie point using string concatenation to pass SQL parameters... Seriously, it's a huge security hole and slows downs queries as well. Do not ever use string concatenation to pass SQL parameters. – Tamas Czinege Jan 18 '10 at 06:39
  • Thanks for the suggestion. Can you please illustrate the secure way? – RKh Jan 18 '10 at 06:44
  • 1
    http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php Use that search box in the top right of your browser. – hobodave Jan 18 '10 at 06:46
  • I can always use it anytime but since the discussion is live here and someone suggesting better option, why not ask him to post a line here itself. – RKh Jan 18 '10 at 06:52

7 Answers7

3

Perhaps you should look into using an ORM of some sort. Zend_Db has a method for grabbing a single value from a query.

$ecname = $db->fetchOne("SELECT ecname FROM electioncategorymaster WHERE ecid = ?", $Category);
hobodave
  • 28,925
  • 4
  • 72
  • 77
  • @jspcal: hobodave version of binding is more concise, which is what the OP was looking for in the first place. The only way people will use bind variables (short of hitting them for not doing it), is if there is no extra typing involved. – Thilo Jan 18 '10 at 06:59
  • 1
    @thilo: the second way is more conscise if you have an assoc array – jspcal Jan 18 '10 at 07:01
  • @jspcal: Don't think so, you can do `$db->fetchOne('select ecname from electioncategorymaster where ecid = ? OR foo = ?', array($Category, $foo));` – Alix Axel Jan 18 '10 at 07:07
  • @jspcal: please keep personal attacks and off-topic "stuff" out of comments. It degrades SO. – hobodave Jan 18 '10 at 07:13
  • @hobodave: you are the one downvoting as a means of retaliation because you didn't like my comment. ive contacted the mods. – jspcal Jan 18 '10 at 07:24
2

No. Due to a flaw in PHP the following is not possible:

$CategoryName = mysql_fetch_row($resultCategoryName)[0];
Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
1

I don't think it can be reduced any further. All functions are performing their task at the very minimal level. You can only shorten variable names :)

Sarfraz
  • 377,238
  • 77
  • 533
  • 578
1

you can use mysql_result to get categroyName in 2 steps.


$resultCategoryName = mysql_query("SELECT ecname FROM electioncategorymaster WHERE ecid=".$Category);
$categoryName = mysql_result($resultCategoryName, 0); //Extract First column

Here is the reference link.

Adeel
  • 19,075
  • 4
  • 46
  • 60
0

I'm no PHP guru, but maybe you should either be using a framework or a class for each table.

I don't think that code can be reduced per se.

metrobalderas
  • 5,180
  • 7
  • 40
  • 47
0
$rowCategoryName = mysql_fetch_row(mysql_query("SELECT ecname FROM electioncategorymaster WHERE ecid=$Category"));
$CategoryName = $rowCategoryName[0];

That's the shortest I can think of. You really should do SELECT ecname FROM electioncategorymaster WHERE ecid='$Category'" though (putting single quotes around the variable).

Brendan Long
  • 53,280
  • 21
  • 146
  • 188
  • 1
    No, no, no! You don't pass parameters to the database that way! – Tamas Czinege Jan 18 '10 at 06:41
  • 1
    Why was this voted down? It's true. The fact that doing it isn't particularly helpful doesn't change the fact that it's the only real answer to the question. – Brendan Long Jan 18 '10 at 06:41
  • @Brendan Long: It wasn't me who downvoted it but probably due to the SQL injection issue. – Tamas Czinege Jan 18 '10 at 06:42
  • Why not? There's no difference between `$x = "blah blah". $blah;` and `$x = "blah blah $blah";` – Brendan Long Jan 18 '10 at 06:42
  • And I'm assuming (probably incorrectly) that the variable is already escaped earlier. The part where I said to add single quotes was specifically to address the injection problem. – Brendan Long Jan 18 '10 at 06:43
  • Even if it's escaped, it makes query caching harder as the database can't reuse previous queries that only differ in the value of the parameter. – Tamas Czinege Jan 18 '10 at 06:44
  • What do you mean? If I escape $var, then run `mysql_query("SELECT * FROM x WHERE var='$var'` it should be safe, right? – Brendan Long Jan 18 '10 at 06:46
  • 1
    If you are going the string interpolation route (meaning that you trust $var is properly escaped), then at least lose the quotes, as they introduce an extra cast from varchar to number. – Thilo Jan 18 '10 at 06:51
  • 2
    It is safe but performance-wise, it is far from being optimal. In your example, for every different value of $var the database has to execute a whole new query. If you have parametrized queries, the database can reuse the first query as the only thing that changed was the value of a parameter, hence subsequent queries being faster. – Tamas Czinege Jan 18 '10 at 06:51
0

This is the way I do it. I use sprintf to insure that only numeric values are passed as id. I also append SQL sentance with LIMIT 1 to ensure that only one record is fetched.

$r = mysql_fetch_row(mysql_query(
sprintf("SELECT * FROM <sometable> WHERE id = %d LIMIT 1",intval($id))
,$connection));
Oto Brglez
  • 4,113
  • 1
  • 26
  • 33