0

Problem is :

$type = my r_areal variable

$sqlc = "SELECT * FROM reservation where r_areal IN ('".$type."') and '".$cid."' between r_start and r_ende 
            or where r_areal IN ('".$type."') '".$cod."' between r_start and r_ende 
            or where r_areal IN ('".$type."') '".$cid."'<= r_start AND '".$cod."' >= r_ende


            ";

So this is my php query for sql. It works, but it shows me every sql rows for every $type in my db. But it should instead only show all rows for f.e. the parameter B. I know, that one problem is that the where r_areal IN ('".$type."') is only accepted once. But if I remove the second and third one, it shows me all rows for all $type.

Can anybody help me?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
CodeNewb
  • 35
  • 4
  • 2
    you need to use parenthesis, otherwise you have mixture of AND and OR – Iłya Bursov Aug 08 '17 at 21:13
  • this is horrendously vulnerable to SQL injection attacks. Please learn to use parameterised queries, otherwise your data can easily be corrupted, deleted or stolen. http://bobby-tables.com/ explains the issues (humourosly, but straightforwardly) and also has some examples, including in PHP, of how to include variables in your query safely. – ADyson Aug 08 '17 at 21:14
  • 3
    Does this code actually run? I see multiple `WHERE` in this statement. That definitely won't run. – Eric Aug 08 '17 at 21:15
  • It does run, but it shows me every column. It simply ignores the 2nd and 3rd `where` statement – CodeNewb Aug 08 '17 at 21:18
  • It kind of looks like all those different where clauses are trying to do the same thing. Can you explain in more detail what this is supposed to select? – Don't Panic Aug 08 '17 at 21:20
  • And what are `$cid` and `$cod`? – Don't Panic Aug 08 '17 at 21:20
  • 4
    @CodeNewb If it runs, you must have copied it wrong in the question. There's no way that `or where` can possibly work. – Barmar Aug 08 '17 at 21:23

1 Answers1

0

Use parenthesis to separate AND and OR conditions. 

$sqlc = "SELECT * FROM reservation 
    WHERE (r_areal IN ('".$type."') AND '".$cid."' BETWEEN r_start AND r_ende) 
            OR  (r_areal IN ('".$type."') '".$cod."' BETWEEN r_start AND r_ende)
            OR (r_areal IN ('".$type."') '".$cid."'<= r_start AND '".$cod."' >= r_ende)
            ";
Ravinder Reddy
  • 3,869
  • 1
  • 13
  • 22