0

I have created a report page for a project and it is written in html and php. There are many input check boxes with different field names like inv,mfg,program,and site. What I'm tring to do is run a query based on what check boxes have been check and not have to do nested if statement. That can be messy and hard to upkeep. This is what I've gotten so far.

$option = array("inv" => $inv, "mfg" => $mfg, "program" => $program, "site" => $site);

foreach(array_keys($option) as $key) {
     echo $option[$key];
}

Where I'm having a major disconnect in my brain is how to translate this in to a query.

$result=mysql_query("SELECT * from database.table WHERE ****field is = to array key****");
Improve this question
4
  • Use the mysql IN clause: tutorialspoint.com/mysql/mysql-in-clause.htm Commented Jan 13, 2015 at 17:09
  • Being a noob I'm not 100% certain but my understanding of IN clause is that it replaces the OR when my query is looking for this AND that AND that. Thank you, this recommendation did help me on another sub query :) Commented Jan 13, 2015 at 18:07
  • I had misunderstood your question. I thought you were looking for a series of values in a single field. The answer below are valid but not very good because of the use of outdated functions and poor coding practice. Commented Jan 13, 2015 at 18:49
  • Thank you so much, and you are right about the old coding ways. I'm just making exploitable for my redteam. Also I don't think you really misunderstood. I may not have been clear being I rush sometimes and brain goes in 20 different directions. Again Thank you so much!! Commented Jan 13, 2015 at 20:02

2 Answers 2

Reset to default
1

Try something like:

$option = array("inv" => $inv, "mfg" => $mfg, "program" => $program, "site" => $site);
$checks = array();
foreach($option as $key => $value) {
     $checks[] = $key ."='" . $value . "' AND ";
}
if (count($checks) > 0)
{
  $result=mysql_query("SELECT * from database.table WHERE " . rtrim(implode('', $checks), ' AND'));
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Do not use mysql_* functions. Use PDO or MySQLi with prepared statements instead.
0

You want to pull out results depending on what fields are checked? If so, you could do something like this:

$option         = array("inv" => $inv, "mfg" => $mfg, "program" => $program, "site" => $site);
$where_query    = array();
foreach ($option as $key => $value) {
    $where_query[] = $key . " = '".$value."'";
}
$result= mysql_query("SELECT * from database.table WHERE implode(' AND ' , $where_query)");

This is quite a simple way of doing a query like this. I'd recommend investigating using something like PDO for your queries moving forward as your able to sanitise and prepare your queries. Make sure you escape any values you are passing to the database, otherwise someone may exploit it!

Improve this answer

2 Comments

Do not use mysql_* functions. Use PDO or MySQLi with prepared statements instead.
Thank you everyone!! I am aware that mysql_* functions are exploitable and that is part of the reason why I'm doing it this way. I want it to be exploitable to our internal Red Team for testing. I have a sanitize script that I use to sanitize but I'm not even using that at the moment.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.