move "if" logic from php into query

I couldn't get the page to load when the logic for line 31, "($id ==
$_POST[recordID])", was in the query. Can the logic for that be moved to the
query? I expect so.

I tried changing the where clause of the query, no go.


[thufir@localhost ~]$
[thufir@localhost ~]$ cat /var/www/html/insertContacts.php -n
1 <html>
2 <head><title>insert contacts</title></head>
3 <body>
4 <?php
5
6
7 $user="feeds";
8 $host="localhost";
9 $password="password";
10 $database = "feeds";
11
12 $connection = mysql_connect($host,$user,$password)
13 or die ("couldn't connect to server");
14 $db = mysql_select_db($database,$connection)
15 or die ("Couldn't select database");
16
17 $query = "INSERT INTO contacts (id , notes) VALUES
('$_POST[recordID]' , '$_POST[contacts]')";
18 $result = mysql_query($query)
19 or die ("Couldn't execute insert query.");
20
21 $query = "SELECT contacts.id, px_items.id, title, notes
FROM contacts, px_items WHERE
22 contacts.id=px_items.id";
23
24 $result = mysql_query($query)
25 or die ("Couldn't execute second query.");
26
27 while ($row = mysql_fetch_array($result))
28 {
29 extract ($row);
30
31 if ($id == $_POST[recordID])
32 {
33 echo $id;
34 echo "<br>";
35 echo "$title";
36 echo "<br><br>";
37 echo $notes;
38 echo "<br><br><br><br>";
39 echo "<br><br><br><br>";
40
41 }//if
42 }//while
43
44
45
46
47 echo "<br>";
48 echo "<a href=\"";
49 echo "http://localhost/contacts.php";
50 echo "\">";
51 echo "http://localhost/contacts.php";
52 echo "</a>";
53 echo "<br><br>";
54
55
56 echo "<br>";
57 echo "<a href=\"";
58 echo "http://localhost/items_notes.php";
59 echo "\">";
60 echo "http://localhost/items_notes.php";
61 echo "</a>";
62 echo "<br><br>";
63
64
65 ?>
66 </body> </html>
[thufir@localhost ~]$
[thufir@localhost ~]$ date
Thu Apr 26 09:24:31 BST 2007
[thufir@localhost ~]$
[thufir@localhost ~]$



thanks,

Thufir

2007. 04. 26, csütörtök keltezéssel 08.28-kor Thufir ezt Ã*rta:
> I couldn't get the page to load when the logic for line 31, "($id ==
> $_POST[recordID])", was in the query. Can the logic for that be moved to the
> query? I expect so.
>
> I tried changing the where clause of the query, no go.

you SHOULD move it to the query, because if you need only that row, the
rest of the while loop is just a waste of cycles.
however, before putting it into the query, first verify
$_POST['recordID'] to avoid SQL injection. if it should be a number,
just typecast it to int like this:
$rec_id = (int) $_POST['recordID'];

and there are other problems with your handling of the query result. you
use extract, but have two columns named 'id'. this leads to confusion.
either select them with an alias provided or select only one of them.

thus the query should be something like:

$query = "SELECT contacts.id AS c_id, px_items.id AS p_id, title,
notes FROM contacts, px_items WHERE contacts.id=px_items.id AND
contacts.id=$rec_id";
(or you can put px_items.id=$rec_id if that's the id you are looking
for)

greets
Zoltán Németh

>
>
> [thufir@localhost ~]$
> [thufir@localhost ~]$ cat /var/www/html/insertContacts.php -n
> 1 <html>
> 2 <head><title>insert contacts</title></head>
> 3 <body>
> 4 <?php
> 5
> 6
> 7 $user="feeds";
> 8 $host="localhost";
> 9 $password="password";
> 10 $database = "feeds";
> 11
> 12 $connection = mysql_connect($host,$user,$password)
> 13 or die ("couldn't connect to server");
> 14 $db = mysql_select_db($database,$connection)
> 15 or die ("Couldn't select database");
> 16
> 17 $query = "INSERT INTO contacts (id , notes) VALUES
> ('$_POST[recordID]' , '$_POST[contacts]')";
> 18 $result = mysql_query($query)
> 19 or die ("Couldn't execute insert query.");
> 20
> 21 $query = "SELECT contacts.id, px_items.id, title, notes
> FROM contacts, px_items WHERE
> 22 contacts.id=px_items.id";
> 23
> 24 $result = mysql_query($query)
> 25 or die ("Couldn't execute second query.");
> 26
> 27 while ($row = mysql_fetch_array($result))
> 28 {
> 29 extract ($row);
> 30
> 31 if ($id == $_POST[recordID])
> 32 {
> 33 echo $id;
> 34 echo "<br>";
> 35 echo "$title";
> 36 echo "<br><br>";
> 37 echo $notes;
> 38 echo "<br><br><br><br>";
> 39 echo "<br><br><br><br>";
> 40
> 41 }//if
> 42 }//while
> 43
> 44
> 45
> 46
> 47 echo "<br>";
> 48 echo "<a href=\"";
> 49 echo "http://localhost/contacts.php";
> 50 echo "\">";
> 51 echo "http://localhost/contacts.php";
> 52 echo "</a>";
> 53 echo "<br><br>";
> 54
> 55
> 56 echo "<br>";
> 57 echo "<a href=\"";
> 58 echo "http://localhost/items_notes.php";
> 59 echo "\">";
> 60 echo "http://localhost/items_notes.php";
> 61 echo "</a>";
> 62 echo "<br><br>";
> 63
> 64
> 65 ?>
> 66 </body> </html>
> [thufir@localhost ~]$
> [thufir@localhost ~]$ date
> Thu Apr 26 09:24:31 BST 2007
> [thufir@localhost ~]$
> [thufir@localhost ~]$
>
>
>
> thanks,
>
> Thufir
>

Thufir wrote:
> I couldn't get the page to load when the logic for line 31, "($id ==
> $_POST[recordID])", was in the query. Can the logic for that be moved to the
> query? I expect so.


$query = "SELECT contacts.id, px_items.id, title, notes
FROM contacts, px_items WHERE contacts.id=px_items.id AND recordid='" .
(int)$_POST['recordID'] . "'";

The (int) will make sure that it is a number (so a string becomes "0").

--
Postgresql & php tutorials
http://www.designmagick.com/

Chris wrote:
>
> Thufir wrote:
>> I couldn't get the page to load when the logic for line 31, "($id ==
>> $_POST[recordID])", was in the query. Can the logic for that be
>> moved to the
>> query? I expect so.
>
>
> $query = "SELECT contacts.id, px_items.id, title, notes
> FROM contacts, px_items WHERE contacts.id=px_items.id AND recordid='"
> . (int)$_POST['recordID'] . "'";
>
> The (int) will make sure that it is a number (so a string becomes "0").
>
i always use intval() on something i'm inserting into database that
*should* be a integer. i don't know if there is a difference or a good
reason to pick one or the other.. i'm not Richard so maybe he can create
an interesting story for us on the *proper* way ;-)

On Apr 26, 1:45 am, dmag...@gmail.com (Chris) wrote:
[...]
> $query = "SELECT contacts.id, px_items.id, title, notes
> FROM contacts, px_items WHERE contacts.id=px_items.id AND recordid='" .
> (int)$_POST['recordID'] . "'";
>
> The (int) will make sure that it is a number (so a string becomes "0").
[...]


aha! thanks. this is like a cast, or making sure that the it's a
number, that the right type is passed? ok :)


-Thufir

On Thu, April 26, 2007 4:02 am, Sebe wrote:
> i always use intval() on something i'm inserting into database that
> *should* be a integer. i don't know if there is a difference or a good
> reason to pick one or the other.. i'm not Richard so maybe he can
> create
> an interesting story for us on the *proper* way ;-)

Well...

(int) $foo;
intval($foo);

are pretty interchangable, really.

Just depends if you're an old C hacker or you prefer making function
calls.

I can't imagine doing enough of either in any real script for
performance to be an issue, so let's skip the whole benchmark thread,
please???

That said, I've recently decided that even after doing (int) [or
intval()] that I'd like to be 100% kosher and still do
mysql_real_escape_string.

Mainly because somebody pointed out that doing the same thing for
(float) could yield things that may not be "good" in SQL like
underflow, overflow, exponential notation, and also that the - sign in
front *could* end up being part of a subtraction and you *could*
manage to leave out the space, and then you've got an SQL comment
instead of subtraction.

$a = (int) $_REQUEST['a'];
$b = (int) $_REQUEST['b'];
$query = "select $a-$b ";

http://example.com/a=5&b=-3

So the (int) or intval() is "not enough" imho.

YMMV

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?