-1

Is this possible to be done with SQL?

I need to make a SQL selection depending if a $query is false WHERE (u.id_user = ".$userId." OR fu.id_user = ".$userId." OR ff.id_user = ".$userId.")" ELSE "$query";

That's my starting point where both conditions have to be met:

  $validatedSearchData = array(
     "q"=>strip_tags($_GET["q"])
  );

  $query= " AND a.tags LIKE ".lib::$db->qstr("%".$validatedSearchData["q"]."%");

  $feed = lib::$db->GetAll("SELECT SQL_CALC_FOUND_ROWS
                                         a.*,
                                         u.name,
                                         fu.id_user AS fu_user_id,
                                         ff.id_followed_user AS ff_user_id
                                  FROM feed AS a
                                  LEFT JOIN userfollow AS fu ON a.id_author = fu.id_user
                                  LEFT JOIN userfollow AS ff ON a.id_author = ff.id_followed_user
                                  INNER JOIN user_profiles AS u ON a.id_author = u.id_user
                                  WHERE (u.id_user = ".$userId." OR fu.id_user = ".$userId." OR ff.id_user = ".$userId.")" . $query. "
                                  GROUP BY a.id_article
                                  ");
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
idm
  • 189
  • 1
  • 11
  • 1
    Simply OR instead of AND? – jarlh Mar 04 '20 at 09:57
  • replace `AND` by `OR` in your `$query` – Cid Mar 04 '20 at 09:57
  • 1
    For start you have SQLi in your script take a look here for more information : https://owasp.org/www-community/attacks/SQL_Injection and use PDO or MYSQLI function in PHP – Inazo Mar 04 '20 at 09:57
  • @Inazo Thanks for the tip. Can you give an example? Sorry, pretty new to this. – idm Mar 04 '20 at 10:02
  • @idm Take a look here for examples : https://www.php.net/manual/en/pdo.prepare – Inazo Mar 04 '20 at 10:04
  • @Inazo thanks! Can you point to the "you have SQLi in your script" part. So i can start from somewhere to understand what i do wrong and learn from the examples. – idm Mar 04 '20 at 10:12
  • 2
    **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Mar 04 '20 at 10:23
  • @Dharman Can you give me an example, I really don't understand this prepared statements thing. Whats wrong with my query above. Like will really really appreciate an example to understand. Thank you! – idm Apr 11 '20 at 08:11
  • You can't put PHP variables in SQL like this `".$userId."`. You should use placeholders. `WHERE (u.id_user = ? OR ...` – Dharman Apr 11 '20 at 09:50

1 Answers1

2

Change this line 

$query= " OR a.tags LIKE ".lib::$db->qstr("%".$validatedSearchData["q"]."%");

replace OR in the place of AND

Tushar
  • 568
  • 3
  • 13