3

This is my first query, i want to use the multiple itemID's extracted for another query.

$conn = new mysqli(server, dbuser, dbpw, db);
$email = $_GET['email'];
$querystring = "SELECT itemID from mycart where email = '".$email."' ";
$result = $conn->query($querystring);
$rs = $result->fetch_array(MYSQLI_ASSOC);

The second query that need

$query = "SELECT * from CatalogueItems where itemID = '".$itemID."'";

How do i make these 2 query run?

  • Did you FETCH the result row from the first query anywhere? – RiggsFolly Nov 23 '18 at 11:00
  • Did you execute either of those queries? Putting a piece of SQL in a string variable does Absolutely Nothing to actually run that query or get the results from that query – RiggsFolly Nov 23 '18 at 11:01
  • You shouldn't directly concatenate submitted data into a DB query, because that leaves you vulnerable to [SQL injection attacks](http://bobby-tables.com/)! For [PHP](http://bobby-tables.com/php), use prepared statements with bound parameters. – Agi Hammerthief Nov 23 '18 at 11:20

3 Answers3

1

Refer to the first query as a subquery in the second:

$query = "SELECT * from CatalogueItems WHERE itemID IN ";
$query .= "(" . $querystring . ")";

This is preferable to your current approach, because we only need to make one single trip to the database.

Note that you should ideally be using prepared statements here. So your first query might look like:

$stmt = $conn->prepare("SELECT itemID from mycart where email = ?");
$stmt->bind_param("s", $email);
Tim Biegeleisen
  • 502,043
  • 27
  • 286
  • 360
1

Firstly, Your code is open to SQL injection related attacks. Please learn to use Prepared Statements

Now, from a query point of view, you can rather utilize JOIN to make this into a single query:

SELECT ci.* 
FROM CatalogueItems AS ci
JOIN mycart AS mc ON mc.itemID = ci.itemID 
WHERE mc.email = $email  /* $email is the input filter for email */

PHP code utilizing Prepared Statements of MySQLi library would look as follows:

$conn = new mysqli(server, dbuser, dbpw, db);
$email = $_GET['email'];

$querystring = "SELECT ci.* 
                FROM CatalogueItems AS ci
                JOIN mycart AS mc ON mc.itemID = ci.itemID 
                WHERE mc.email = ?";  // ? is the placeholder for email input

// Prepare the statement
$stmt = $conn->prepare($querystring);

// Bind the input parameters
$stmt->bind_param('s', $email);  // 's' represents string input type for email

// execute the query
$stmt->execute();

// fetch the results
$result = $stmt->get_result();
$rs = $result->fetch_array(MYSQLI_ASSOC);

// Eventually dont forget to close the statement
// Unless you have a similar query to be executed, for eg, inside a loop
$stmt->close();
Madhur Bhaiya
  • 28,155
  • 10
  • 49
  • 57
0

This creates a variable out of your result

$query = "SELECT itemID FROM mycart WHERE email = :email";

$stm = $conn->prepare($query);
$stm->bindParam(':email', $email, PDO::PARAM_STR, 20);
$stm->execute();
$result = $stm->fetchAll(PDO::FETCH_OBJ);
                        foreach ($result as $pers) {
                                $itemID = $pers->itemID;
                        }
Jop Rill
  • 65
  • 8