i would like my mysql query to be different depending on the content of a php variable (session) it has to be something like:
if ($_SESSION['session_id'] != NULL) {
$var1 = "and id = '$_SESSION[session_id]'";
}
$result = mysql_query("
SELECT field1, field2
FROM table
WHERE name = '$_GET[name]' $var1
") or die(mysql_error());
which will be: WHERE name = '$_GET[name]' and id = '$_SESSION[session_id]'
or: WHERE name = '$_GET[name]'
how can i do this? Thanks.
The code you are trying to create has some serious (and less serious) problems that you need to fix right away if you ever want to make your site usefull.
First of, dont use mysql_ function but switch to mysqli or pdo. mysql functions have been deprecated.
Also you are inserting user input directly into your query. This causes some serious SQL injection problems. Always make sure to validate and escape user input.
To create a query like you want I'd use:
<?php
$name = $_GET['name'];
//validate $name according to your choice of mysql provider. EG: mysqli_real_escape_string
//this is just basic validation. make sure you also add other types of validation. If a name is always alphanumeric, make sure you also check that it is before using it.
/*
if you dont validate and I would enter my name like: hugo' OR 1=1 --
I would be able to access any record in your database. And that is just a harmless example.
*/
$query = "SELECT field1, field2 FROM table WHERE name = '".$name."'"
//for sake of simplicity I assume the id is numeric
if (!empty($_SESSION['session_id']) AND is_numeric($_SESSION['session_id'])) {
$query .= " and id = '".$_SESSION['session_id']."'";
}
//exec query
?>
empty because an Id of 0, which is often used after a log out, should be dismissed also
mysql_*functions in new code. They were removed from PHP 7.0.0 in 2015. Instead, use prepared statements via PDO or MySQLi. See Why shouldn't I use mysql_* functions in PHP? for more information.