0

So I am trying to display answers to a survey but first I want to separate the USER ids from each other. Right now Answers are stored similar to this....

SGpID, SGresult, SGFACemail

Essentially, I want to display a button for each Unique ID. So if I have 5 answers with an ID of 10, and 5 answers with an ID of 12. I want buttons saying "Results for ID 10" and "Results for ID 12".

What it is currently doing is displaying EVERY iteration where the select statement matches so essentially every answer... no bueno.

My thought was that I would go through a for each loop to separate the results and do something along the lines of...

"Each time SGpID is different", display a new button with that new SGpID.

I am just not sure really how to write it out. Here is what I have so far for the statement.

$query_db = ("SELECT SGpID FROM SGresult WHERE SGFACemail = '$email'");
$result = mysql_query($query_db) or die(mysql_error());

while ($row = mysql_fetch_assoc($result)) {
//insert for each loop here?
echo $row['SGpID'];
}

Thanks as always for any help or ideas on this one!

Improve this question
2
  • I'm not quite sure what you want to output, since you only select the SGpID. You might want to do something like this: SELECT SGpID, count(SGpID) as c FROM SGresult WHERE SGFACemail = '$email' GROUP BY SGpID - then you can output it in your while-loop like this: echo "Results for {$row['SGpID']}: {$row['c']}; Commented Apr 24, 2012 at 19:02
  • Interesting Quas, I will have to give that go. As of right now I just needed the ID's so the answer below worked for me great! Commented Apr 24, 2012 at 19:06

1 Answer 1

Reset to default
1

Change your SELECT command to:

SELECT DISTINCT SGpID FROM SGresult WHERE SGFACemail = ?

Note I have used ? in place of '$email' as you really should use prepared statements. Learn from Bobby Tables!

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks so much Eggyral! This did the trick, I didn't know about the DISTINCT feature in mysql. As far as prepared statements, I will into that, but I thought from my understanding if the the variable $email is coming from a $_POST statement it would prevent people from say dropping the table? Thanks again!
FROM $_POST IT ABSOLUTELY WILL NOT BE PROTECTED. A malicious user could post whatever string they wanted, including '; DROP TABLE SGresult; -- . Try submitting your form with that email address, if you dare.
Interesting.. so I took your advise and did just what you suggested also tried numerous other ways to try and sql_inject statements into my form. None of them worked. So perhaps GoDaddy offers some sort of protection?? but each time I tried to insert your statement I would get the results with '' in them. For example... ''; DROP TABLE SGresults; -- ' I even tried other SQL injections... any ideas?
It's possible that the MySQL connector only permits one command per query, which (if that were the case) provides some protection. However, even then an attacker could still construct queries which you hadn't been intended to be run. In any event, without a moment's hesitation you should err on the side of caution and use prepared statements.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.