0
<?php
    extract( $_GET );       
    $sql = "SELECT * FROM tablename order by Name DESC";
    $sql = "SELECT * FROM tablename where age = "31";
    $db = mysql_connect("localhost","root","password"); 
    if (!$db) {
    die("");
    }
    $db_select = mysql_select_db('databasename',$db);
    if (!$db_select) {
    die("");
    }
    if ( !( $result = mysql_query( $sql, $db ) ) ) {
    print( "Could not execute query! <br />" );
    die( mysql_error() . "</body></html>" );
    } // end if

    echo "<table>
    <tr>
    <th>Name</th>
    <th>Age</th>
    </tr>";

    while($row = mysql_fetch_array($result)){
        echo "<tr>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Age']."</td>";
    }
    echo "</table>";
    mysql_close( $db );
?>

Where should I add an if else statement for name and age that runs the sql statement when either the name or age is selected? Name and Age is from different column but in the same table

Synetrix
  • 37
  • 4
  • 1
    Do you mean we need to run any one of these $sql? Please clarify your question properly. – Indrasis Datta Apr 03 '16 at 07:15
  • To run the sql statement when either the name or age is selected – Synetrix Apr 03 '16 at 07:17
  • Okay, and what are the possible query string keys? As in $_GET['name'] and $_GET['age']?? – Indrasis Datta Apr 03 '16 at 07:18
  • Also, can you please print_r($_GET) here and show me the array? – Indrasis Datta Apr 03 '16 at 07:20
  • Yes, name and age are the string keys. Could you provide a similar example of how this should be done – Synetrix Apr 03 '16 at 07:22
  • print_r($_GET) prints out Array ( [q] => Name ) – Synetrix Apr 03 '16 at 07:23
  • Don't do any of these answers. They open you up to sql injection. You are already using a deprecated set of functions, but to also add variables right into your sql, you are really making it easy! – Rasclatt Apr 03 '16 at 07:27
  • At the very least check that the `$_GET` is numeric before you insert it into the sql string...but you really just need to use PDO or mysqli with prepared statements. – Rasclatt Apr 03 '16 at 07:32
  • print_r($_GET) only prints out Array ( [q] => Name ). It is not numeric, only varchar – Synetrix Apr 03 '16 at 07:38
  • I'm not really used to mysqli or PDO, but I will look up to it. Thanls – Synetrix Apr 03 '16 at 07:39
  • If you are inserting age, like all the answers are suggesting, that portion is the problem. Don't do that. – Rasclatt Apr 03 '16 at 07:41
  • 2
    @Synetrix you really should get used to PDO (or Mysqli) because all `mysql_` functions have been **removed** in PHP 7. – Arjan Apr 03 '16 at 07:52
  • 1
    You have a lot of small other errors in the code, you don't close your table rows for each array you fetch. your age query uses the wrong quotes at 31 and thus closes the string early and opens a new one, Surely you have to be experiencing some errors? try and add error_reporting(-1) in front as well. – Jester Apr 03 '16 at 08:23

3 Answers3

1
if(isset($_GET['age'])) {
    $sql = 'SELECT * FROM tablename where age = ' . $_GET['age'];
} else if(isset($_GET['name'])) {
    $sql = 'SELECT * FROM tablename order by Name DESC';
}

Then you could use it for URLs like:

  • www.example.com?age=31
  • www.example.com?name

Just note that this is a very simplified example, you need to validate the input as well.

EDIT: You should not use mysql* (deprecated) functions, use mysqli* or PDO instead. For more information about mysql* functions read answers posted on this question.

Community
  • 1
  • 1
Liren
  • 390
  • 1
  • 3
  • 15
  • 1
    The `mysql_` functions are actually **removed** in PHP 7. And that was released in December of last year. – Arjan Apr 03 '16 at 07:56
0

Looks like you need to check the key of $_GET.

Try this:

if (isset($_GET['Name']) && !empty($_GET['Name'])) {
     $sql = "SELECT * FROM tablename order by Name DESC";
} else if (isset($_GET['Age']) && !empty($_GET['Age'])) {
      $sql = "SELECT * FROM tablename where age = '".$_GET['Age']."'";
}

Hope this helps.

Indrasis Datta
  • 8,692
  • 2
  • 14
  • 32
0
<?php
    error_reporting(-1);

    $db = mysqli_connect("localhost","root","password","databasename"); 
    if (!$db) { 
        die( mysql_error() . "</body></html>" );
    }

    if(isset($_GET['age'])) {
        // You can use the $_GET['age'] variable in the query if you want to, this makes you vulnerable to sql injection though. if you don't use prepared statements or escape it (read link below
        $sql = 'SELECT * FROM tablename where age = "31"';
    } else if(isset($_GET['name'])) {
        // Same as for age but $_GET['name'] in this case of course.
        $sql = 'SELECT * FROM tablename order by Name DESC';
    }

    $result = mysqli_query($sql, $db)
    if (!result ) {
        print( "Could not execute query! <br />" );
        die( mysql_error() . "</body></html>" );
    } // end if

    echo "<table>
    <tr>
    <th>Name</th>
    <th>Age</th>
    </tr>";

    while($row = mysqli_fetch_array($result)){
        echo "<tr>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Age']."</td>";
        echo "</tr>";
    }
    echo "</table>";
    mysqli_close($db);
?>

the queries above are save as long as you don't use the $_GET variables in the query itself, if that is what you want you should read up on prepared statements: http://php.net/manual/en/mysqli.prepare.php

Jester
  • 1,408
  • 1
  • 9
  • 21