SELECT * with many conditionals

Question

I have a problem in selecting table in many condition, can anybody help me?

  $tbl_name =$_POST['report']; 
    if($tbl_name=="dailymeal")
 $select = "SELECT * FROM '$tbl_name' where a4>='$tanggal_awal' and a4 <='$tanggal_akhir'"; 
if($table_name="infomeal")
{ $select = "SELECT * FROM `".$tbl_name."` where tanggal >=`".$tanggal_awal."` and tanggal <=`".$tanggal_akhir."`"; }
if($table_name="keluhan")
{ $select = "SELECT * FROM `".$tbl_name."` where tlapor >=`".$tanggal_awal."` and tlapor <=`".$tanggal_akhir."`"; }
if($table_name="perjalanan")
{ $select = "SELECT * FROM `".$tbl_name."` where request_date>=`".$tanggal_awal."` and request_date <=`".$tanggal_akhir."`"; }
if($table_name="tamu")
{ $select = "SELECT * FROM `".$tbl_name."` where jam_masuk>=`".$tanggal_awal."` and jam_masuk <=`".$tanggal_akhir."`"; }
if($table_name="tiket")
{ $select = "SELECT * FROM `".$tbl_name."` where waktu_input>=`".$tanggal_awal."` and waktu_input <=`".$tanggal_akhir."`"; }
if($table_name="trx_kons")
{ $select = "SELECT * FROM `".$tbl_name."` where date_trx>=`".$tanggal_awal."` and date_trx <=`".$tanggal_akhir."`"; }
if($table_name="uniform")
{ $select = "SELECT * FROM `".$tbl_name."` where reqtime >=`".$tanggal_awal."` and reqtime <=`".$tanggal_akhir."`"; }
if($table_name="konsumable")
{ $select = "SELECT * FROM `".$tbl_name."`"; }


mysql_query('SET NAMES utf8;');
$export = mysql_query($select);

query 'where' is not working at all. i try to select all data between date1 and date2. what i suppose to do here?

I can tell you right off the bat, this `FROM '$tbl_name'` the quotes need to be removed. — Funk Forty Niner, May 07 '14 at 00:34
Plus, you're assigning `if($table_name="konsumable")` in other places also use `==` --- `if($table_name=="...` (instead of comparing) — Funk Forty Niner, May 07 '14 at 00:37
also, you're assigning $tbl_name, then trying to compare against $table_name. I think that's what fred just said but I'm not sure — Kai Qing, May 07 '14 at 00:41
Also missing braces for your first `if($tbl_name=="dailymeal")` — Funk Forty Niner, May 07 '14 at 00:43
*Well,* [**my work is done**](http://stackoverflow.com/a/23506864/) I'm outta here. — Funk Forty Niner, May 07 '14 at 01:39

score 2 · Answer 1 · edited May 23 '17 at 12:28

Firstly, you may want to change all $table_name to $tbl_name because as it stands, you're using two different variables for your table checking. Or to make it even simpler, changing all instances of $tbl_name to $table_name which will require a lot less work. So at this point, it's uncertain as to which variable you meant to use, or if you have more code that you may not be showing us.

I.e.: if($tbl_name=="dailymeal") and if($table_name="infomeal")

Therefore it's more than likely you would want to use:

$table_name =$_POST['report']; 
if($table_name=="dailymeal")

Now, you have quotes around FROM '$tbl_name' those need to be removed or use backticks if you wish to escape it.

You should have used (or you meant to use) the same method you used in

SELECT * FROM `".$tbl_name."`

Plus, you're assigning = instead of comparing == using if($table_name="infomeal") and many others.

You also have a few missing braces for if($tbl_name=="dailymeal")

Comparison ==: http://www.php.net/manual/en/language.operators.comparison.php

Assignment =: http://www.php.net/manual/en/language.operators.assignment.php

Rewrite:

$tbl_name = $_POST['report']; // or $table_name

// or $table_name
if($tbl_name=="dailymeal"){
$select = "SELECT * FROM `".$tbl_name."` where a4>='$tanggal_awal' and a4 <='$tanggal_akhir'"; 

 // alternate method
 // $select = "SELECT * FROM $tbl_name where a4>='$tanggal_awal' and a4 <='$tanggal_akhir'"; 
}

if($table_name=="infomeal"){
    $select = "SELECT * FROM `".$tbl_name."` where tanggal >=`".$tanggal_awal."` and tanggal <=`".$tanggal_akhir."`";
}

if($table_name=="keluhan"){
    $select = "SELECT * FROM `".$tbl_name."` where tlapor >=`".$tanggal_awal."` and tlapor <=`".$tanggal_akhir."`";
    }
if($table_name=="perjalanan"){
    $select = "SELECT * FROM `".$tbl_name."` where request_date>=`".$tanggal_awal."` and request_date <=`".$tanggal_akhir."`";
}

if($table_name=="tamu"){
    $select = "SELECT * FROM `".$tbl_name."` where jam_masuk>=`".$tanggal_awal."` and jam_masuk <=`".$tanggal_akhir."`";
}

if($table_name=="tiket"){
    $select = "SELECT * FROM `".$tbl_name."` where waktu_input>=`".$tanggal_awal."` and waktu_input <=`".$tanggal_akhir."`";
}

if($table_name=="trx_kons"){
    $select = "SELECT * FROM `".$tbl_name."` where date_trx>=`".$tanggal_awal."` and date_trx <=`".$tanggal_akhir."`";
}

if($table_name=="uniform"){
    $select = "SELECT * FROM `".$tbl_name."` where reqtime >=`".$tanggal_awal."` and reqtime <=`".$tanggal_akhir."`";
}

if($table_name=="konsumable"){
    $select = "SELECT * FROM `".$tbl_name."`";
}


mysql_query('SET NAMES utf8;');
$export = mysql_query($select);

Footnotes:

Your present code is open to SQL injection. Use prepared statements, or PDO.

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Debugging/Troubleshooting

Add error reporting to the top of your file(s) which will help during production testing.

error_reporting(E_ALL);
ini_set('display_errors', 1);

Giacomo1968 · Answer 2 · 2014-05-07T00:56:15.143

Try this. Basic cleanup revealed a few issues to say the least:

$select = '';

$tbl_name = $_POST['report'];

if ($tbl_name == "dailymeal") {
  $select = "SELECT * FROM `" . $tbl_name . "` WHERE a4 >= '$tanggal_awal' AND a4 <= '$tanggal_akhir'";
}
if ($tbl_name == "info meal") {
  $select = "SELECT * FROM `" . $tbl_name . "` WHERE tanggal >= `" . $tanggal_awal . "` AND tanggal <= `".$tanggal_akhir."`";
}
if ($tbl_name == "keluhan") {
  $select = "SELECT * FROM `" . $tbl_name. "` WHERE tlapor >= `" . $tanggal_awal . "` AND tlapor <= `".$tanggal_akhir."`";
} 
if ($tbl_name == "perjalanan") {
  $select = "SELECT * FROM `" . $tbl_name . "` WHERE request_date >= `" . $tanggal_awal . "` AND request_date <= `".$tanggal_akhir."`";
}
if ($tbl_name == "tamu") {
  $select = "SELECT * FROM `" . $tbl_name . "` wh WHERE ere jam_masuk >= `" . $tanggal_awal . "` AND jam_masuk <= `".$tanggal_akhir."`";
}
if ($tbl_name == "ticket") {
  $select = "SELECT * FROM `" . $tbl_name . "` WHERE waktu_input >= `" . $tanggal_awal . "` AND waktu_input <= `".$tanggal_akhir."`";
}
if ($tbl_name == "trx_kons") { 
  $select = "SELECT * FROM `" . $tbl_name . "` WHERE date_trx >= `" . $tanggal_awal . "` AND date_trx <=`".$tanggal_akhir."`";
}
if ($tbl_name == "uniform") { 
  $select = "SELECT * FROM `" . $tbl_name . "` WHERE reqtime >= `" . $tanggal_awal . "` AND reqtime <=`".$tanggal_akhir."`";
}
if ($tbl_name == "consumable") {
  $select = "SELECT * FROM `" . $tbl_name . "`";
}

if (!empty($select)) {
  mysql_query('SET NAMES utf8;');
  $export = mysql_query($select);
}

The issues were—in no particular order—the following:

You are referring to $tbl_name in some places and $table_name in others. So I set them all to $tbl_name.
Many of your conditional if statements were actually assignments. Such as this if($table_name="perjalanan") which should use == so it is this if($tbl_name == "perjalanan").
Your first SELECT has SELECT * FROM '$tbl_name' which won’t work due to the single quotes (') so I changed them all to be like the rest: SELECT * FROM" . $tbl_name . "``
Overall formatting or lack of constant formatting makes debugging hard. And causes errors like this. While you technically do not need { } braces for the if statements you have, I find they are useful for readability. Ditto with basic indentation. It might seem like a hassle to format code like this but at the end of the day it saves you time & makes code more readable for others.
Technically speaking you do not have to concatenate with . every time variable appears in PHP like this when using double quotes: "SELECT * FROM" . $tbl_name . "You could just write it like this: `"SELECT * FROM `$tbl_name` since double quotes allow for string substitution. But I simply left it like that with the . but just added spaces since I find that format to be more readable as well.

Logan Wayne · Accepted Answer · 2014-05-07T01:33:10.293

MySQL is deprecated. You should try atleast MySQLi. And where does $table_name came from? I think you meant for $tbl_name, right? You can try this:

<?php

/* ESTABLISH CONNECTION */

$connect=mysqli_connect("YourHost","YourUsername","YourPassword","YourDatabase");

if(mysqli_connect_errno()){

echo "Error".mysqli_connect_error();
}

$tbl_name = mysqli_real_escape_string($connect,$_POST['report']); /* ESCAPE_STRING SUBMITTED DATA */

if($tbl_name=="dailymeal") {
 $select = "SELECT * FROM dailymeal WHERE a4>='$tanggal_awal' AND a4 <='$tanggal_akhir'"; 
}

if($tbl_name=="infomeal")
{ $select = "SELECT * FROM infomeal WHERE tanggal>=`".$tanggal_awal."` AND tanggal <=`".$tanggal_akhir."`"; }

if($tbl_name=="keluhan")
{ $select = "SELECT * FROM keluhan WHERE tlapor>=`".$tanggal_awal."` AND tlapor <=`".$tanggal_akhir."`"; }

if($tbl_name=="perjalanan")
{ $select = "SELECT * FROM perjalanan WHERE request_date>=`".$tanggal_awal."` AND request_date <=`".$tanggal_akhir."`"; }

if($tbl_name=="tamu")
{ $select = "SELECT * FROM tamu WHERE jam_masuk>=`".$tanggal_awal."` AND jam_masuk <=`".$tanggal_akhir."`"; }

if($tbl_name=="tiket")
{ $select = "SELECT * FROM tiket WHERE waktu_input>=`".$tanggal_awal."` AND waktu_input <=`".$tanggal_akhir."`"; }

if($tbl_name=="trx_kons")
{ $select = "SELECT * FROM trx_kons WHERE date_trx>=`".$tanggal_awal."` AND date_trx <=`".$tanggal_akhir."`"; }

if($tbl_name=="uniform")
{ $select = "SELECT * FROM uniform WHERE reqtime>=`".$tanggal_awal."` AND reqtime <=`".$tanggal_akhir."`"; }

if($tbl_name=="konsumable")
{ $select = "SELECT * FROM konsumable"; }


if(empty($select)){
"Please fill the text box properly.";
}

else {
mysqli_query('SET NAMES utf8;');
$export = mysqli_query($connect,$select);
}

?>

@kafi - If an answer helps you, choose the best answer and tick the check on the left side of the best answer or even at least up-vote the answer that greatly helps you. — Logan Wayne, May 07 '14 at 01:38

score 0 · Answer 4 · answered May 07 '14 at 00:52

Wrong variable name used. $table_name should be $tbl_name.
You're assigning in other conditions instead of comparing. == instead of =
Concatenation is wrong. Pay more attention.
I suggest to use if else. But let's stick to your structure.

Perhaps, try this:

$tbl_name = $_POST['report']; 
if($tbl_name=="dailymeal")
{ $select = "SELECT * FROM `".$tbl_name."` where a4>=`".$tanggal_awal."` and a4 <=`".$tanggal_akhir."`"; }
if($tbl_name=="infomeal")
{ $select = "SELECT * FROM `".$tbl_name."` where tanggal >=`".$tanggal_awal."` and tanggal <=`".$tanggal_akhir."`"; }
if($tbl_name=="keluhan")
{ $select = "SELECT * FROM `".$tbl_name."` where tlapor >=`".$tanggal_awal."` and tlapor <=`".$tanggal_akhir."`"; }
if($tbl_name=="perjalanan")
{ $select = "SELECT * FROM `".$tbl_name."` where request_date>=`".$tanggal_awal."` and request_date <=`".$tanggal_akhir."`"; }
if($tbl_name=="tamu")
{ $select = "SELECT * FROM `".$tbl_name."` where jam_masuk>=`".$tanggal_awal."` and jam_masuk <=`".$tanggal_akhir."`"; }
if($tbl_name=="tiket")
{ $select = "SELECT * FROM `".$tbl_name."` where waktu_input>=`".$tanggal_awal."` and waktu_input <=`".$tanggal_akhir."`"; }
if($tbl_name=="trx_kons")
{ $select = "SELECT * FROM `".$tbl_name."` where date_trx>=`".$tanggal_awal."` and date_trx <=`".$tanggal_akhir."`"; }
if($tbl_name=="uniform")
{ $select = "SELECT * FROM `".$tbl_name."` where reqtime >=`".$tanggal_awal."` and reqtime <=`".$tanggal_akhir."`"; }
if($tbl_name=="konsumable")
{ $select = "SELECT * FROM `".$tbl_name."`"; }


mysql_query('SET NAMES utf8;');
$export = mysql_query($select);

score 0 · Answer 5 · edited May 23 '17 at 12:20

0

You also have a high risk of injection attack - if someone sends something other than a table name to your parameter ($_POST['report'];)

Read more about injection attacks here: SQL injection that gets around mysql_real_escape_string()

edited May 23 '17 at 12:20

Community

1
1

answered May 07 '14 at 00:53

findsje

21
1

score 0 · Answer 6 · answered May 07 '14 at 01:17

You could greatly simplify this code with a BETWEEN in your SQL, and a hash table to store the relationship between table and column.

$table_fields = array(
    "dailymeal" => "a4",
    "infomeal" => "tanggal",
    "keluhan" => "tlapor",
    ...
);

$tbl_name = $_POST['report'];
// check to make sure that tbl_name is a proper table name - don't trust the user input!
$field_nm = $table_fields[$tbl_name];

$select = "SELECT * FROM $tbl_name where $tanggal_awal BETWEEN $field_nm and $field_nm";

There's some other cleaning up you can do, like making sure to properly escape values and/or using bind variables but the basic idea is to recognize the patterns in your logic & use them to simplify your code.

SELECT * with many conditionals

6 Answers6