Help deal with shielding. Trying to make a 'dynamic query from the database'. Those. we have 2 tables, users and location. If the user specified a city when searching, we take this into account in the request; if not entered, we do not take into account and make the request without a filter by city. But I just can not figure it out with quotes. Then they interfere with each other, then they do not worry .. How to be?

if(isset($_POST['plusLocation'])){ //Ссли ΡŽΠ·Π΅Ρ€ ΡƒΠΊΠ°Π·Π°Π» Π³ΠΎΡ€ΠΎΠ΄ $thisCity=strip_tags($_POST['plusLocation']); $loc='AND l.city=$thisCity'; //Π² динамичСской ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½ΠΎΠΉ ΡΠΏΡ€Π°ΡˆΠΈΠ²Π°Π΅ΠΌ Π³ΠΎΡ€ΠΎΠ΄ }else{ $loc=''; //ΠΈΠ½Π°Ρ‡Π΅ Π΄Π΅Π»Π°Π΅ΠΌ запрос Π±Π΅Π· Π³ΠΎΡ€ΠΎΠ΄Π° } $query="SELECT * FROM table1 t INNER JOIN location l ON l.id=t.id WHERE t.age BETWEEN 20 AND 30 $loc"; //ΠΈ подставляСм Π² ΠΊΠΎΠ½Π΅Ρ† ΠΈΠ»ΠΈ Π³ΠΎΡ€ΠΎΠ΄ ΠΈΠ»ΠΈ Π½ΠΈΡ‡Π΅Π³ΠΎ

    2 answers 2

     mysql_real_escape_string(strip_tags($_POST['plusLocation'])) $loc="AND l.city='$thisCity'"; //Π² динамичСской ΠΏΠ΅Ρ€Π΅ΠΌΠ΅Π½Π½ΠΎΠΉ ΡΠΏΡ€Π°ΡˆΠΈΠ²Π°Π΅ΠΌ Π³ΠΎΡ€ΠΎΠ΄

      for your case you need to use

       $thisCity = mysql_real_escape_string($thisCity);

      Well, better, faster and safer to switch to PDO and use placeholders.

      upd and as correctly noted @ Nord001

       $loc="AND l.city='$thisCity'";
      • There's also an error in $ loc = 'AND l.city = $ thisCity'; // in the dynamic variable we ask the city - Nord001
      • @ Nord001 is possible that the id of the city is transmitted, but you are right, the quotes will not hurt. - FLK
      • @FLK There are single quotes and PHP will not substitute anything there but leave as is - Nord001
      • @ Nord001 really, did not pay attention. thanks - FLK