Help deal with shielding. Trying to make a 'dynamic query from the database'. Those. we have 2 tables, users and location. If the user specified a city when searching, we take this into account in the request; if not entered, we do not take into account and make the request without a filter by city. But I just can not figure it out with quotes. Then they interfere with each other, then they do not worry .. How to be?

if(isset($_POST['plusLocation'])){ //если юзер указал город $thisCity=strip_tags($_POST['plusLocation']); $loc='AND l.city=$thisCity'; //в динамической переменной спрашиваем город }else{ $loc=''; //иначе делаем запрос без города } $query="SELECT * FROM table1 t INNER JOIN location l ON l.id=t.id WHERE t.age BETWEEN 20 AND 30 $loc"; //и подставляем в конец или город или ничего 

    2 answers 2

     mysql_real_escape_string(strip_tags($_POST['plusLocation'])) $loc="AND l.city='$thisCity'"; //в динамической переменной спрашиваем город 

      for your case you need to use

       $thisCity = mysql_real_escape_string($thisCity); 

      Well, better, faster and safer to switch to PDO and use placeholders.

      upd and as correctly noted @ Nord001

       $loc="AND l.city='$thisCity'"; 
      • There's also an error in $ loc = 'AND l.city = $ thisCity'; // in the dynamic variable we ask the city - Nord001
      • @ Nord001 is possible that the id of the city is transmitted, but you are right, the quotes will not hurt. - FLK
      • @FLK There are single quotes and PHP will not substitute anything there but leave as is - Nord001
      • @ Nord001 really, did not pay attention. thanks - FLK