1

I feel like I'm making a rookie error here somewhere but can't figure out what's going wrong. I am using PHP and mySQL. I have an array $users that stores a current user's information. The array is storing the customer id (cid, its an integer). So I'm trying to pull information that is only tagged to a specific customer. My code is:

try
{
    $sql = 'SELECT id, title, image_url FROM shelf WHERE cid = $user['cid']'; 
    $result = $pdo->query($sql);
}

I feel like I have similar code in other parts of my program that are working so this seems like I may be doing something wrong in terms of syntax. If I replace $user['cid'] in the request with a hard-coded number like 22, the statement works fine. However, I need to pull the integer from $user. I'm getting a T_STRING error on the SELECT statement line. I have also tried to add an additional set of single quotes around $user['cid'] but that's not working either (i.e. $user['cid'])

Thanks for your help.

Twine

Improve this question
2
  • 4
    Try using double quotes instead of single quotes to assign your string Commented Sep 25, 2012 at 14:18
  • 2
    Why are you using an editor without syntax highlighting? Commented Sep 25, 2012 at 14:19

3 Answers 3

Reset to default
2

You're using PDO, so you should be using place-holders, too:

$stmt = $pdo->prepare('SELECT id, title, image_url FROM shelf WHERE cid=:cid');
$stmt->bindParam(':cid', $user['cid']);
$stmt->execute();

This ensures your data is escaped correctly and handles conversion to the appropriate database format where required.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Needle in a haystack some days, I swear. Thanks for the props.
Tadman, you nailed it. I had previously tried using placeholders and it still wasn't working. I had added in a $result = $r->fetch(); afterwards. I excluded it based on your advice and its working now.
@OrangeTwine if his answer solved your problem, make sure you click on the check mark to accept this as an answer.
Stick with placeholders. They'll serve you well.
2

Yup, rookie error. Change to double quotes and add { } around value like:

$sql = "SELECT id, title, image_url FROM shelf WHERE cid = {$user['cid']}";
Improve this answer

6 Comments

How do you know if it's not escaped earlier?
If it's not obvious it's escaped, you cannot presume it's escaped.
The query string is obviously not a place to escape query value. Good luck applying set of filters while concating a string.
The query string is the ONLY place to escape a value. Period. This is not up for debate. If you're using string interpolation to insert values in your queries in PDO you are doing it wrong.
If it's the only place, so how come your example escapes it somewhere else? The escape is done by bindParam method, not in the query string. But I wont argue about details and I admit, in case of PDO your example is the right way to go, but the question was how to get rid of T_STRING error.
|
-2

$sql = 'SELECT id, title, image_url FROM shelf WHERE cid = '.intval($user['cid']);

Improve this answer

6 Comments

I'd slightly prefer (int) $user['cid'] over intval
Author says "However, I need to pull the integer from $user". I give the way how to do it and get -1. Very nice. Thanks.
intval is not a substitute for proper SQL escaping. If you do this on a regular basis you're creating a whole world of hurt for yourself.
What's wrong with using (int) or intval for protecting integers in queries?
If you mean the way it's written, I agree. I prefer using placeholders. But in current context what I wrote seems to be a nice way to fix the bug and find out what's going on + prevent injection of course. Please tell if intval or (int) work wrong, it would be very interesting for me at least.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.