0

I am working on a PHP file and getting via POST this string:

$temas = $_POST['temas']; //$temas = ".45.12.34"

Where each of the numbers should be the id for a table record.

And I have following query

$query = "SELECT * FROM tb_preguntas WHERE tema = '".$temas."'";

I need to put in the WHERE part of the query each of the received id

Something like that: ... WHERE tema = 45 OR tema = 12 OR tema = 34

Of course, on each execution the string changes.

I have tried using the PHP explode function, but I don't know how to implement the result in the query.

Improve this question
9
  • 1
    replace dot(.) by comma(,) and use mysql where IN() Commented Sep 7, 2018 at 7:50
  • @DevsiOdedra, you mean first remove the dot(.), then replace (.) with (,) and finally use WHERE IN($temas) . ? Commented Sep 7, 2018 at 7:52
  • 1
    you're open to SQL injection and probably should look to resolve :) Commented Sep 7, 2018 at 7:57
  • 1
    @mvasco I could write up an answer explaining that you should first sanitise your input a bit trim($temas, '.'); to remove any unnecessary periods, then you could do str_replace('.', ',', $temas); to get it into the correct format for an SQL IN.... But i think really that's a really shitty answer for you :), this looks like an xy problem xyproblem.info. The way you're trying to do it is a bit shonky/dangerous, so a better answer for you would require more details, such as why is your POST format looking like ".45.12.34", can we improve that? Commented Sep 7, 2018 at 7:58
  • 1
    @mvasco sad but it happens! What's the next step in your code? What are you feeding your $query to? Commented Sep 7, 2018 at 8:00

5 Answers 5

Reset to default
4

My answer won't differ too much from everyone else's but it is an answer to address SQL injection + a solution

$temas = implode(',', explode('.', $_POST['temas']));
$temas = trim($temas);

$res = $conn->prepare('select * from `tb_preguntas` WHERE `tema` in (:temas)');
$res->execute(array(':temas' => $temas));

here we use a prepared statement, now you're code is safe woop woop

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Much better to address the SQL injection issue as well rather than just ignoring it for the sake of internet points
1

As suggested above you can use the IN() function of mysql, however you have to remove the first period '.' and change the rest to commas ','.

$query = "SELECT * FROM `tb_preguntas` WHERE `tema` IN('".str_replace('.',',',trim($temas,'.'))."') ";
Improve this answer

Comments

1

best case scenario

$temas = implode(',', explode( '.', $_POST['temas']));
$query = "select * from tb_preguntas WHERE tema in (" . $temas . ")";

but your case, . comes first that makes life so much harder, so a better solution would be

$temas1 = explode( '.', $_POST['temas'] );
$temas2 = array();
foreach( $temas1 as $value ) {
   if( is_numeric( $value )) $temas2[] = $value;
}
$query = "select * from tb_preguntas WHERE tema in (" . implode( ',' , $temas2 ) . ")";
Improve this answer

1 Comment

you probably have to first trim the first dot in the $temas variable...
1

Use explode() to split those numbers by .And it must turn into array.

Then run your queries into a loop using the lenth of the array like this:

$id = explode('.',$temas);
    foreach($id as $temas_id) {    
      $query = "SELECT * FROM tb_preguntas WHERE tema = '".$temas_id."'";
      if(isset($conn->query(query ))) {
        // Execute code here if there's a result.
      }
    }
Improve this answer

Comments

0

Please try this code.

$temas = $_POST['temas']; 

$temas = explode('.',$temas);

$query = mysql_query("SELECT * FROM test_stipe WHERE tema in '".implode("', '", $temas)."'");

This code is working fine.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.