-1

Im trying to include a word (the name of a shop) that is in another php file into this query, i already tried in diferent ways but without success.

This is what i have:

<?
$queryentA2 = mysql_query("SELECT * FROM `client_invoices` WHERE 1 AND `paid` = 'ent' AND `date_due` > '2018-12-31' AND `shop` = 'include('shop.php')'");
$numberentA2 = mysql_num_rows($queryentA2);
?>

I expect the number of entries for that shop but no information is displayed.

RibAs
  • 11
  • 3
  • If you concatenated mayabe. Whats in the file? You should not use `mysql_` functions anymore. – user3783243 Jun 16 '19 at 01:19
  • In the file is just the location of the shop: Lisbon. Why cannot use mysql_ anymore? If i change the "include('shop.php')" for "Lisbon" is working fine... – RibAs Jun 16 '19 at 01:24
  • 2
    Please do not use mysql_. Use mysqli_ or PDO. What is in shop.php? – TimBrownlaw Jun 16 '19 at 01:27
  • Just the location of the shop: Lisbon. I made this way to use the same site and code for 5 diferent shops. – RibAs Jun 16 '19 at 01:39

1 Answers1

-2
$queryentA2 = mysql_query("SELECT * FROM `client_invoices` WHERE 1 AND `paid` = 'ent' AND `date_due` > '2018-12-31' AND `shop` = 'include('shop.php')'");

You can't do that. There's a couple of way to do this

  1. Include a variable and then use that

    <?php
$var = 'Some value';

    then

    $queryentA2 = mysql_query("SELECT * FROM `client_invoices` WHERE 1 AND `paid` = 'ent' AND `date_due` > '2018-12-31' AND `shop` = '" . $var . "'");

  2. Put the value as a naked string and then pull the whole file. So your include.php (or any file type) looks like

    Some Value

    then

    $var = mysql_real_escape_string(file_get_contents('include.php'));
$queryentA2 = mysql_query("SELECT * FROM `client_invoices` WHERE 1 AND `paid` = 'ent' AND `date_due` > '2018-12-31' AND `shop` = '" . $var . "'");

NOTE Normally you would want to use something like mysqli prepared statements. Since this is the older removed API (which means this is probably an end of life version) this poster likely has a myriad of other issues.

Machavity
  • 30,841
  • 27
  • 92
  • 100
  • @Dharman Er, no. This is a **local data source**. As far as the `mysql_` extension, that's what the OP used. I agree they should use `mysqli` – Machavity Jun 18 '19 at 22:31
  • What do you mean local data source? What difference does it make to SQL? You should recommend to use mysqli if you know the other extension is gone and deprecated for the past 6 years. – Dharman Jun 18 '19 at 22:32
  • @Dharman There's comments about that under the question. As far sanitized data goes, because he's pulling data from a local data source. In other words, he's reading from a file on his server. While a prepared statement would be preferable overall, the older API doesn't support that. Since he's not using user-supplied data, you can get away with just inserting it directly. This is the only place you can do that – Machavity Jun 18 '19 at 22:36
  • Now imagine another person has a similar problem and will find your answer in Google. They might think that if a user with 25k reputation recommends to use this solution (with SQL injection bug and API which was removed) that it is ok to continue doing so. You got my down vote, because you have made no effort to solve the main issue that OP has. Even a huge bold warning message at the top of you post would be ok to warn anyone else about dangers of SQL injection and mysql_* API. – Dharman Jun 18 '19 at 22:42
  • If the name of the shop is `O'Reilly's` then there is a problem. **NEVER** put any kind of data directly into SQL query. – Dharman Jun 18 '19 at 22:43