0 
mysql_query("SELECT * FROM foo WHERE id ='$foo' OR id = '$foo2");

This doesn't work.

Basically, I want to be able to select it where the id is one variable's value OR another one's.

Thanks.

EDIT: The ID column is numerical.

Improve this question
3
  • missing a ' in your code. is just a typo? Commented Nov 18, 2011 at 13:13
  • Your query is perfect i think value in your variable is going wrong print it and than try Commented Nov 18, 2011 at 13:14
  • 3
    "This doesn't work." Is that the error you get from MySql? I thought it was a little more verbose on why a given query won't work, but I might be mistaken. Commented Nov 18, 2011 at 13:14

3 Answers 3

Reset to default
4

As others have said and you confirmed, the problem is that you are using string literals to compare to a numeric column. To have it work, the query should look like

mysql_query("SELECT * FROM foo WHERE id =$foo OR id = $foo2");

However, this solution has very very bad code smell!

First off, this is why IN exists: to be able to write

mysql_query("SELECT * FROM foo WHERE id IN ($foo, $foo2)");

And second, are you injecting unescaped strings into your query? If you are, your code is vulnerable to sql injection! Escape and quote your variables to be safe, like this (in the general case):

$query = sprintf("SELECT * FROM foo WHERE id IN ('%s', '%s')",
                 mysql_real_escape_string($foo),
                 mysql_real_escape_string($foo2));
mysql_query($query);

or alternatively like this, since in this specific scenario you know we 're talking about integer values:

$query = sprintf("SELECT * FROM foo WHERE id IN (%s, %s)",
                 intval($foo), intval($foo2));
mysql_query($query);

Footnote: I am aware that when using sprintf like this, one could also handle integer values by just using %d instead if %s as the format specifier. However, I believe that proving you are correctly escaping variables should be possible by just looking at one place (the parameter list) instead of multiple places (did I use intval on the variable? or maybe I did not, but I 'm using %d in the format string so I 'm still OK?). It may sound counter-intuitive, but it's more robust in the face of modifications.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

@Kakashi: Your edit is wide open to sql injection if $foo and/or $foo2 is malicious.
@Col.Shrapnel: How? Please enlighten me.
string literals are ok to compare with numeric column. but alas I've only 1 vote.
the same way as any injection works. $id="1 union select password from users";
@Col.Shrapnel: There's an intval in there, in case you haven't noticed. "1 union select password from users" would be converted to just 1.
|
3

I think you forgot the last ' character

mysql_query("SELECT * FROM foo WHERE id ='$foo' OR id = '$foo2'");

but because the id column is numerical, you should use:

mysql_query("SELECT * FROM foo WHERE id = $foo OR id = $foo2");
Improve this answer

Comments

0

Try this:

mysql_query(sprintf("SELECT * FROM foo WHERE id = %s OR id = %s", $foo, $foo2));

I recommend you use mysql_error() for get mysql errors(if exists).

mysql_query( .. ) or die('Erro:'.mysql_error());

the mysql_error returns the last error occurred in mysql.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.