How to LIMIT results in html php/sql query?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I need to limit results in the following query type:

I found a reference that says I should be able to use LIMIT x[,y], but
I don't know where/exactly how to add that to the string.  Once I know
what it's supposed to look like, and can write something to generate

If someone could post an example using the above and limiting the
output to 100 records starting at position 1, that would be great.

Re: How to LIMIT results in html php/sql query? wrote:
Quoted text here. Click to load it

It really depends on the database you're using.
In mysql, adding " LIMIT 5" to the end of your sql statement will return  
5 rows, adding "LIMIT 10, 20" will return 20 rows starting with row  
number 10.

It should also be noted that passing the database query in the URL like  
your example shows is a _really_bad_ idea if you expect to allow other  
people to use this page, and just a bad idea otherwise.

What would prevent some malicious user from manually changing the url to  
  try and execute the statement "DELETE+ALL+FROM+super_important_table",  


Re: How to LIMIT results in html php/sql query?

Carl wrote:

Quoted text here. Click to load it

The database is read-only, but thanks for the warning.

How exactly do I add "LIMIT 10, 20" to the html string? I tried some
different ways and either got error messages (generic) or it had no

This is using MySQL, and I know LIMIT is supported.

For example: I tried adding
to the end, or before the
I Also tried adding
(no "+")

I think maybe the &sql_order at the end needs rewritten using LIMIT.

I need the specific syntax, "+", "&", "%2C", etc. to add (say) LIMIT
10,20 to this:


Re: How to LIMIT results in html php/sql query? wrote:
Quoted text here. Click to load it

LIMIT must come after ORDER BY in a SQL query.

But obviously, the PHP code is concatenating the sql_order after the  
sql_query in some manner.  We don't know what it's doing.  We don't even  
know from your example what the legal values for sql_order are.  Are  
they field names by which to sort?  We don't know how it interprets the  
blank string, as is being passed here.

For instance, it _might_ be concatenating the values of sql_query and  
sql_order like this:

$sql = $sql_query
  . "ORDER BY "
  . ($sql_order ? $sql_order : "DefaultField")

So even if you were to pass "DefaultField LIMIT 10,20" for the sql_order  
parameter, you'd end up with a syntax error in the resulting SQL,  
because "ASCENDING" appears out of place.  And this is assuming  
sql_order is there to name the field by which to sort.  It could have  
some totally different meaning within the PHP code.

Bill K.

Re: How to LIMIT results in html php/sql query?

In comp.databases wrote:
Quoted text here. Click to load it

What you seem to be doing here is very dangerous.  Suppose someone saw
that URL and rewrote it as follows:

Or even:

This is called an "SQL injection" vulnerability -- where your
application allows the user to enter arbitrary SQL statements.  These
can yield all sorts of undesired results:

    * public accessibility of private information
    * destruction of information (as above)
    * crashing of your database server (by writing a query that
      takes massive computational resources to compute)
    * corruption of information, possibly with substantial financial

As an example of the last, imagine that your database is serving an
online store application, and includes the price list.  If the user can
enter an arbitrary query (and the store application has the access
privileges to do so -- another error, perhaps) then the user could alter
prices and then place orders for really cheap goods.  :)


Site Timeline