New to php and MySQL

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm quite new to MySQL and php so please go easy. Thanks!

I'm trying to design a very basic php script which displays the
contents of the table, then I want to enable the user to filter out
certain results. So I went about writing a MySQL query something like
.....WHERE gender="$gender" AND group="$group" and then wrote a
form which sets the variables $gender and $group. Now is there a way of
setting $gender and $group to something that would display the whole

And is this the right way of going about this? Or is there a better
way... Infact does anyone know of a good site that might guide me in
creating such a script?



Re: New to php and MySQL

If you change your SQL to the form WHERE gender LIKE '$gender' then you
can make use of the mySQL wildcard '%' to get all results. wrote:
Quoted text here. Click to load it

Re: New to php and MySQL contained the following:

Quoted text here. Click to load it

If you want to do this you'd probably be better of using the keyword
LIKE and the wildcard (%)  instead of the = sign alone
for instance
WHERE gender LIKE "$gender%"  

would match 'male' if you input 'm', 'ma', 'mal' or 'male'

If it doesn't contain anything you would get all records.
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs

Re: New to php and MySQL

That's sounds like exactly what I needed! I'll try that out now.

Thanks very much.


Geoff Berrow wrote:

Quoted text here. Click to load it

Re: New to php and MySQL

Alex wrote:

Quoted text here. Click to load it

Alex, A serious warning: SQL_injection.

Make sure you understand how The Bad Guys try to inject stuff into your  
queries and take over your database.

If you receive a searchterm freom a form, and proceed like this, you might  
get into trouble:

$firstName = $_POST["firstName"];
$SQL = "SELECT firstname, lastname from tblusers WHERE ";
$SQL .= " (lastname LIKE '%".$firstName."%'); ";
etc. etc

Now the $firstName variable could contain possible something very nasty you  
didn't expect, like:
%'); DELETE FROM tbluser; etc

If you execute that query, you might find out your tbluser is empty..

If you are new to PHP and SQL, make sure you understand SQL-injection, and  
prepare yourself.
Have a look at functions like addslashes() and check php.ini for things like  
gpc_magic_quotes, etc

Best of luck!

Erwin Moller

Re: New to php and MySQL wrote:
Quoted text here. Click to load it

Alternatively, check to see if $gender and $group are set.  Build your  
query dynamically and only use them if they are set, i.e. (Assumes  
gender and query are strings):

   $genset = false;
   $query = 'SELECT ...';
   if (isset($gender)) {  // Or however you wish to test
     $query .= " WHERE gender='$gender'";
     $genset = true;
   if (isset($group)) {
     if ($genset) {
       $query .= " AND ";
       $query .= " WHERE ";
     $query .= "group='$group'";

Or something similar.

And yes, you do need to ensure $gender and $group are validated to  
prevent SQL injection attacks.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline