PHP SQL IN Operator with an AND condition

Question

I have a PHP SQL query that looks like this:

$search = mysql_query("SELECT * FROM `data` WHERE (`state` IN ($userStr)) AND ('Scholarship Type' LIKE '%$stype%')")

$userstr is an array of states that get chosen by the end user in a checkbox. This part is working fine, but when I introduce the next condition which is the scholarship type it will not work.

Here is the full code:

<html>
<head>
<link rel="stylesheet" type="text/css" href="results.css">
</head>
</html>
<?php

$state = $_POST['state'];
$stype = $_POST['stype'];


$connection = mysql_connect('198.71.225.63:3306', 'newmslsuper', 'blank'); //The Blank string is the password
mysql_select_db('msl_data');

if(isset($_POST['col'])){
    $state1 = $_POST['col'];
}

$userStr = implode(',', $state1);



$search = mysql_query("SELECT * FROM `data` WHERE (`state` IN   ($userStr)) AND ('Scholarship Type' LIKE '%$stype%')");
$count=mysql_num_rows($search);
if ($count==0) { 
echo 'Sorry your search returned no results. Please try again.'; 
}
else {

$fields_num1 = mysql_num_fields($search);


echo "<table><tr>";

// printing table headers
for($i=0; $i<$fields_num1; $i++)
{
$field1 = mysql_fetch_field($search);
echo "<th>{$field1->name}</th>";
}
echo "</tr>\n";

// printing table rows
while($row1 = mysql_fetch_row($search))
{
echo "<tr>";

// $row is array... foreach( .. ) puts every element
// of $row1 to $cell1 variable
foreach($row1 as $cell1)
    echo "<td>$cell1</td>";

echo "</tr>\n";
}
}
mysql_close(); //Make sure to close out the database connection


?>

`mysql_*` functions are deprecated (and removed in PHP7), I suggest using PDO as an alternative (googling it gives plenty of examples on how to use it). Also: Your code is vulnerable to SQL Injections, either use prepared statements or do some proper checks on the data the user provided (at the very least escaping). — ccKep, Dec 21 '15 at 15:37
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Dec 21 '15 at 15:38
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Dec 21 '15 at 15:38
http://php.net/manual/en/function.mysql-error.php would have helped you out here, and using it against your query. Edit: *Ain't that right Sam?* - @JayBlanchard — Funk Forty Niner, Dec 21 '15 at 15:43
*As right as can be this close to the Holidays Ralph.* @Fred-ii- — Jay Blanchard, Dec 21 '15 at 15:56

score 1 · Answer 1 · answered Dec 21 '15 at 15:35

1

Remove single quotes and use backticks to escape space in column name

SELECT * FROM `data` 
WHERE `state` IN ($userStr) 
AND `Scholarship Type` LIKE '%$stype%'
  --^-- Here       --^--here

answered Dec 21 '15 at 15:35

Pரதீப்

91,748
19
131
172

Thank you for the help! And all great advice -- will make the changes. – Tom Canfarotta Dec 21 '15 at 22:05

PHP SQL IN Operator with an AND condition

1 Answers1