i would like to filter out a bunch rows from a table of sql row
results.
i have a checkbox on each row named checkbox[x]
(x = the current row id)
i will submit the form and take all the rows that are checked and
filter out the ones that are not checked.
so if i had 10 rows and i checked 3 of them then when i submit the
form only those 3 rows will show up.
I was wondering what was the best way to call those rows in the sql
statement.
Would i just loop through the rows that were checked and add them to
the WHERE STATEMENT using the OR condition?
select * from rows where id = 3 or id = 2 or id = 6 or id = 10
so basically i would do something like this with the php code.
$sql = "select * from rows WHERE 1 ";
foreach ($_POST[checkbox] as $check){
$sql .= " OR id = $check";
}
I just think its slow to use so many OR conditions in one sql
statement, but i cant think of anyway else to do this.
Is the way i want to do this a good way?
Thanks for your help 11 3520
giloosh wrote:
Would i just loop through the rows that were checked and add them to
the WHERE STATEMENT using the OR condition?
select * from rows where id = 3 or id = 2 or id = 6 or id = 10
You could try the IN variant like:
select * from rows where id in ( ?, ?, ?, ?);
This might be a bit faster than the ORs...
Best regards,
Jan
--
_______________ _______________ _______________ _______________ _____________
insOMnia - We never sleep... http://www.insOMnia-hq.de
On Aug 29, 12:20 pm, Jan Thomä <k...@insomni a-hq.dewrote:
giloosh wrote:
Would i just loop through the rows that were checked and add them to
Thanks Jan.
I will do a few SQL tests to see which method is faster.
the WHERE STATEMENT using the OR condition?
select * from rows where id = 3 or id = 2 or id = 6 or id = 10
You could try the IN variant like:
select * from rows where id in ( ?, ?, ?, ?);
This might be a bit faster than the ORs...
Best regards,
Jan
--
_______________ _______________ _______________ _______________ _____________
insOMnia - We never sleep...http://www.insOMnia-hq.de
giloosh <gi*******@gmai l.comwrote in news:1188403377 .477061.290770
@o80g2000hse.go oglegroups.com:
Would i just loop through the rows that were checked and add them to
the WHERE STATEMENT using the OR condition?
select * from rows where id = 3 or id = 2 or id = 6 or id = 10
so basically i would do something like this with the php code.
$sql = "select * from rows WHERE 1 ";
foreach ($_POST[checkbox] as $check){
$sql .= " OR id = $check";
}
i'll assume this code is here for brevity, and that you're really making
sure that your $check variable contains what you're expecting it to (a
number).
I tend to craft my SQL 'where' statements AFTER checking for variables,
assembling them as a string, and appending them to a query.
ie:
$whereVar = "1";
foreach($_POST['checkbox'] as $check) {
if(is_numeric($ check)) {
$whereVar .= " OR id='$check'";
}
}
$sql = "SELECT * FROM rows WHERE $whereVar";
ps: naming a MySQL table "rows" can certainly lead to confusion down the
road... try to stay away from reserved words and their permutations
entirely
I just think its slow to use so many OR conditions in one sql
statement, but i cant think of anyway else to do this.
As long as "id" is properly indexed, it won't be slow. You're searching
for results based on conditions... there's no way to avoid searching!
giloosh wrote:
On Aug 29, 12:20 pm, Jan Thomä <k...@insomni a-hq.dewrote:
>giloosh wrote:
>>Would i just loop through the rows that were checked and add them to
Thanks Jan.
I will do a few SQL tests to see which method is faster.
>>the WHERE STATEMENT using the OR condition? select * from rows where id = 3 or id = 2 or id = 6 or id = 10
You could try the IN variant like:
select * from rows where id in ( ?, ?, ?, ?);
This might be a bit faster than the ORs...
Best regards, Jan
-- ______________ _______________ _______________ _______________ ______________ insOMnia - We never sleep...http://www.insOMnia-hq.de
You could even ask in a SQL group, since this isn't a PHP question.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Good Man wrote:
>
i'll assume this code is here for brevity, and that you're really making
sure that your $check variable contains what you're expecting it to (a
number).
I tend to craft my SQL 'where' statements AFTER checking for variables,
assembling them as a string, and appending them to a query.
I always use the placeholder notation for doing SQL. Concatening SQL strings
from input values is almost certainly a safe path to SQL injection. So what
i'd do is:
foreach( ... ) {
$where .= "OR id = ?";
}
and then use a framework like AdoDB to have them replace the placeholders.
Saves a lot of time and problems...
Best regards,
Jan
--
_______________ _______________ _______________ _______________ _____________
insOMnia - We never sleep... http://www.insOMnia-hq.de
Jan Thomä wrote:
Good Man wrote:
>i'll assume this code is here for brevity, and that you're really making sure that your $check variable contains what you're expecting it to (a number).
I tend to craft my SQL 'where' statements AFTER checking for variables, assembling them as a string, and appending them to a query.
I always use the placeholder notation for doing SQL. Concatening SQL strings
from input values is almost certainly a safe path to SQL injection. So what
i'd do is:
foreach( ... ) {
$where .= "OR id = ?";
}
and then use a framework like AdoDB to have them replace the placeholders.
Saves a lot of time and problems...
Best regards,
Jan
Not if you properly cleanse your input. Ensure numeric values are
really numeric, and string values are processed through
mysql_real_esca pe_string(), for instance.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote:
Jan Thomä wrote:
>I always use the placeholder notation for doing SQL. Concatening SQL strings from input values is almost certainly a safe path to SQL injection.
Not if you properly cleanse your input. Ensure numeric values are
really numeric, and string values are processed through
mysql_real_esca pe_string(), for instance.
Thanks for the input, and yes I agree, you should definitely cleanse your
input before feeding it to the database. My point was simply, that when you
give this kind of work to a framework and always use the ? notation, you
are safe from injection, even if you forget to check a single input
variable (which surely happens from time to time). Also you don't have to
do the conversions to different formats manually, so you save a bit of time
and effort.
Best regards,
Jan
--
_______________ _______________ _______________ _______________ _____________
insOMnia - We never sleep... http://www.insOMnia-hq.de
On Aug 30, 9:11 am, Jan Thomä <k...@insomni a-hq.dewrote:
Jerry Stuckle wrote:
Jan Thomä wrote:
I always use the placeholder notation for doing SQL. Concatening SQL
strings from input values is almost certainly a safe path to SQL
injection.
Not if you properly cleanse your input. Ensure numeric values are
really numeric, and string values are processed through
mysql_real_esca pe_string(), for instance.
Thanks for the input, and yes I agree, you should definitely cleanse your
input before feeding it to the database. My point was simply, that when you
give this kind of work to a framework and always use the ? notation, you
are safe from injection, even if you forget to check a single input
variable (which surely happens from time to time). Also you don't have to
do the conversions to different formats manually, so you save a bit of time
and effort.
Best regards,
Jan
--
_______________ _______________ _______________ _______________ _____________
insOMnia - We never sleep...http://www.insOMnia-hq.de
thanks for the feedback...
isn't is safe to just put quotes around the variable
$id = $_POST['id']
$q = "select * from table1 where id = '$id'";
even if id holds none numeric characters, it's still safe... no?
On Aug 31, 2:18 pm, giloosh <giloos...@gmai l.comwrote:
On Aug 30, 9:11 am, Jan Thomä <k...@insomni a-hq.dewrote:
Jerry Stuckle wrote:
Jan Thomä wrote:
>I always use the placeholder notation for doing SQL. Concatening SQL
>strings from input values is almost certainly a safe path to SQL
>injection.
Not if you properly cleanse your input. Ensure numeric values are
really numeric, and string values are processed through
mysql_real_esca pe_string(), for instance.
Thanks for the input, and yes I agree, you should definitely cleanse your
input before feeding it to the database. My point was simply, that whenyou
give this kind of work to a framework and always use the ? notation, you
are safe from injection, even if you forget to check a single input
variable (which surely happens from time to time). Also you don't have to
do the conversions to different formats manually, so you save a bit of time
and effort.
Best regards,
Jan
--
_______________ _______________ _______________ _______________ _____________
insOMnia - We never sleep...http://www.insOMnia-hq.de
thanks for the feedback...
isn't is safe to just put quotes around the variable
$id = $_POST['id']
$q = "select * from table1 where id = '$id'";
even if id holds none numeric characters, it's still safe... no?
No. That introduces sql injection and cross site scripting
vulnerabilities . mysql_real_esca pe_strings, as previously suggested,
will help prevent against this. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Sans Spam |
last post by:
Greetings! I have a table that contains all of the function
permissions within a given application. These functions are different
sections of a site and each has its own permissions (READ, WRITE,
UPDATE, DELETE) which are controlled by a web frontend and the table
records are manipulated to control the permissions.
Example:
The Press Release section record would look like this:
Username: John Doe
Function Name: Press Release
|
by: Alan Mailer |
last post by:
Imagine I had a table called MyTable with the following values:
Field1 Field2
____ _____
A X
AA R
B X
BB T
Now, say I want to return only rows which match *BOTH* of the
|
by: Steven An |
last post by:
Howdy,
I need to write an update query with multiple aggregate functions.
Here is an example:
UPDATE t
SET
t.a = ( select avg(f.q) from dbo.foo f where f.p = t.y ),
t.b = ( select sum(f.q) from dbo.foo f where f.p = t.y )
FROM dbo.test t
|
by: merdaad |
last post by:
I am trying to read multiple rows from an SP into a datalist.
I can easily read and display multiple rows if I use a select statement but when I call an SP to send me a few rows, I only get back the first row. I can also read multiple rows from SP if I have a single select statement in the S
Here is the code:
System.Data.SqlClient.SqlCommand cm;
System.Data.SqlClient.SqlDataReader dr = null;
cm = new...
|
by: John Bailo |
last post by:
The c# *return* statement has been bothering me the past few months.
I don't like the fact that you can have different code paths in a method
and have multiple return statements. To me, it would be more orthogonal
if a method could only have one return statement.
--
| |
by: Maximus |
last post by:
Hi,
I was just wondering, is it good to use return without arguments in a void
function as following:
void SetMapLayer()
{
if( !Map ) return;
layer = LAYER_MAP;
}
|
by: fip |
last post by:
Hi,
On DB2 7.1.2 on MVS OS 390, when I tried to do an insert with
multiple row contents in the values clause:
insert into table11 values('aaaa', 'fa'), ('bbbb', 'fb')
I got the error:
DB21034E The command was processed as an SQL statement because it
|
by: Robert Brown |
last post by:
Hi All.
I have a routine that checks a SQL Table for all records 3 months
prior to a predetermined date, then I insert them into an Archive DB
then delete those records from the original table.
When I do a "select" for the records, I load them into a dataset, use
an "insert" statement to insert the info into the second table (by a
for next loop and using executenonquery , then a "delete" statement to
remove them.
|
by: p175 |
last post by:
Hi people,
I have a stored procedure that creates many Global temporary
session tables. Into each of these tables go the results of various
processing using relational division all keyed and based on a common ID
from an ID session table. So we can have various session tables with
differing results but if they contain records, they are all keyed to
the common ID.
My problem now however is how do I report the overall findings of the
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |