0

I'm having trouble with a FIND_IN_SET query. I can get the basic query to work but when I replace the search terms with PHP variables it fails.

if ($_GET['picId']) {
    $query_class    = $_GET['query_class'];
    $query_subclass = "picSearch";
    $criteria       = "(FIND_IN_SET (".$_GET['picId'].",pic_IDs))" ;
    $criteria_value = ">0";
} 
$tbl_name = "expo_data";

$result = mysql_query("SELECT * FROM $tbl_name WHERE $criteria $criteria_value");

If I use a hard coded query it works fine. say "look for all occurrences of a picture with id=3 in column pic_IDS"

$result = mysql_query("SELECT * FROM $tbl_name WHERE (FIND_IN_SET(3,pic_IDs))>0");

If I echo $criteria and $criteria_value the results "Look" OK.

So what am I doing wrong?

Keith Pinson
  • 7,835
  • 7
  • 61
  • 104
Sabreur
  • 21
  • 7
  • 4
    Before you run the query echo it out and see if it looks right. I'm assuming the issue is with the html entities that should be parenthesis. Also, SQL Injection warning. – Jonathan Kuhn Apr 10 '15 at 18:28
  • **$criteria = 'FIND_IN_SET ('.$_GET['picId'].',pic_IDs)';** – Alex Apr 10 '15 at 18:35
  • MySQL does not expect HTML entity-encoded characters `()<>`. Those need to be literals defined in your criteria strings - the string variable contents should be exactly as you hard-coded them. – Michael Berkowski Apr 10 '15 at 19:34
  • The previous two comments allude to SQL injection vulnerabilities: see [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for an explanation of how you must handle `$_GET['picId']` in this query. At a minimum, you should call `intval($_GET['picId'])` to cast it as an integer. – Michael Berkowski Apr 10 '15 at 19:36
  • Thanks Alex, that fixed it. OK, Jonathan & Michael, I get the message! I'll look into the SQL injection. I have had a quick look at your link and my brain is still hurting! Is there an idiots guide for people like me? – Sabreur Apr 11 '15 at 17:21

0 Answers0