$_REQUEST in SQL QUERY

padma

Can anybody please tell me what's wrong with the following SQL Statement.

$TitleQuery = "select land_page_name, lp.land_page_id from land_page_aware la, land_pages lp ";

$TitleQuery .= "where land_page_aware_nav_id = $_REQUEST[track_id] ";

$TitleQuery .= "and lp.land_page_id = la.land_page_id ";

$TitleQuery .= "and lp.land_folder_name = '$folder_name' ";

Something wrong with the $_REQUEST[track_id]

The above query works on NT, Apache, PHP 4.2.3 and it's not working on HP UX, iplanet, PHP 4.2.3.

Thanks

😕 😕

_SuperString

$TitleQuery .= "where land_page_aware_nav_id = $_REQUEST[track_id] ";

You need to do this:

$TitleQuery .= "where land_page_aware_nav_id = ".$_REQUEST['track_id'];

You should have single quotes aroud the varaible name.

bobby_rahman

Hiya,

I have seperated out my PHP code into many different layers

For example Login.html displays login screen to user. They enter details which is posted to login.php. Within login.php have some code which does something similar to

if login(username, password)
{
//do something
}

login.php calls user.api which defines the login function.
function login(username, password)
{
$querystring = ("select * from user
where username='$username'
and password = password('$password')");
db_query($querystring)

This calls the function db_query in db.api.php :
function db_query($querystring)
{
$db_result = mysql_query($querystring);
}

Now the problem is that one person advised me it is not good to send the whole querystring to db.api and to use $REQUEST instead of $SESSION im using to pass globval variables.

Now the reason I designed it like this was to be able to change the database in one file db.api.php if neccessary.

Can anyone tell me how I can use $_REQUEST and also keep some level of database abstraction from the user.api.php, the login.php and login.html

Any suggestions would be great

PS ( how hard would it be to convert all my db code to work with PEAR db)

Cheers

Bobster

edwardsbc

Padma,
This will also work:

$TitleQuery .= "where land_page_aware_nav_id = {$_REQUEST['track_id']}";

You should understand that your code was failing because when PHP is parsing double quoted strings for variables it does it very simply. It was simply trying to evaluate $_REQUEST as a scalar instead of as an array. PHP stopped at the square bracket because that is not a valid character in a variable name. Using the curly brackets tells PHP to evaluate everything in them as a PHP variable.

You should also always use single quotes (and in evaluated cases double quotes) on text element names. Within double quoted strings, PHP evaluates the element name correctly (without quotes). For example this works as you would expect:

echo "Track ID: {$_REQUEST[track_id]}";  //(Not recommended but works)

But this behaviour may change in future versions. In other contexts PHP generates a warning that, say track_id, is not a valid named constant. It then goes on to assume you meant to use a quoted value:

echo 'Track ID: '.$_REQUEST[track_id]; //(Works/Generates Warning)

But again this behaviour could change in the future. It is best to always explicitly quote element names so PHP doesn't even try to look the value up in the constant table.

Too much information I know, but lots of beginners read these things!