0

I have a PHP page called get.php that has access to MySQL Database. I use one table called: MyTable

In the table I have more than on row. Every info has an id that I use to get the other info based on it:

$sql = "SELECT * FROM `MyTable` WHERE `id`='" . $_GET["var1"]'";
$result = $conn->query($sql);
.
.
.

So when I go to:

localhost/bb/t2/get.php?var1=1

I get the other info like Name of the info by fetching the rows.

BUT I want to deal with more than one variable:

localhost/bb/t2/get.php?var1=1&var2=2&var4=4&...

So I can get the info of every id and not one only.

I want to handle any number of variables and get it's data.

Thank you!

sadssdsada
  • 43
  • 1
  • 7
  • Build the query dynamically and use parameterized queries, open to SQL injections as is...or are all the `GET` parameters `id`s? – chris85 Oct 09 '16 at 18:38
  • Thank you for reply but the method didn't work :/ – sadssdsada Oct 09 '16 at 18:51
  • What method? Update the question to your code. – chris85 Oct 09 '16 at 18:55
  • You must not assemble your queries like this, because it exposes you to a kind of security breach called *SQL injection*. To circumvent this, use PHP's [PDO](https://www.php.net/manual/en/book.pdo.php) and set your values as parameters on the query, or use a DBAL (database abstraction layer) such as Doctrine (there are many good other ones). – Xano Oct 22 '21 at 07:09

2 Answers2

0

It is unclear whether you want to use the variables to determine what fields you are selecting, or to use them to determine what id's are being searched for. Either way it sounds like you just want to be able to pass any number of queries in the urls query string to get what you are looking for.

PHP can actually parse arrays from the query string if composed properly.

Here is an example.

http://localhost/index.php?query1[]=var1&query1[]=var2&query1[]=var3

Note the [] after each query name. This is what the contents of $_GET would be in PHP.

$_GET = [
    "query1" => [
            "var1",
            "var2",
            "var3"
        ]
];

Now you can just get whatever fields or id's from the database that are listed in the array.

bluegman991
  • 707
  • 4
  • 9
0

First, it would be easier to use an array for specifying multiple ids in the URL:

http://localhost/bb/t2/get.php?var[]=1&var[]=2&var[]=4&...

This way, in your PHP code $_GET['var'] will be an array and will contain all values specified in the URL.

Next, you have to make sure all array items (the ids) are numeric. There are many solutions for this, for example skipping non-numeric values:

// make sure parameters are OK
if (is_array($_GET['var'])) {
    // eliminate non-numeric values
    $ids = array_filter($_GET['var'], function($item) {
        return is_numeric($item);
    });
}
else {
    // invalid arguments; throw exception or do something else
}

Finally, you have to use WHERE IN in your query (and verify of course if there are actually some values in the $ids array before executing the SQL query):

if (!empty($ids)) {
    $sql = "SELECT * FROM `MyTable` WHERE `id` IN (" . implode(",", $ids) . ")";
}
else {
    //TODO: no numeric ids specified, do something else...
}
Zoli Szabó
  • 4,366
  • 1
  • 13
  • 19