26

I want to select some id's based on url string but with my code it displays only the first. If i write manual the id's it works great.

I have a url like this http://www.mydomain.com/myfile.php?theurl=1,2,3,4,5 (ids)

Now in the myfile.php i have my sql connection and:

$ids = $_GET['theurl']; (and i am getting 1,2,3,4,5)

if i use this:

$sql = "select * from info WHERE `id` IN (1,2,3,4,5)";
$slqtwo = mysql_query($sql);
while ($tc = mysql_fetch_assoc($slqtwo)) {
    echo $tc['a_name'];
    echo " - ";
}

I am Getting the correct results. Now if i use the code bellow it's not working:

$sql = "select * from info WHERE `id` IN ('$ids')";
$slqtwo = mysql_query($sql);
while ($tc = mysql_fetch_assoc($slqtwo)) {
    echo $tc['a_name'];
    echo " - ";
}

Any suggestions?

Improve this question
2
  • 1
    What is $ids? Note that because you've enclosed it in quotes, MySQL will treat it as a single item, so '1, 2' will return items with an ID of 1, 2. Commented Dec 24, 2013 at 14:17
  • 2
    You may want to research SQL injection and PDO. Those will greatly improve your code. Commented Dec 24, 2013 at 14:20

2 Answers 2

Reset to default
52

When you interpolate 

"select * from info WHERE `id` IN ('$ids')"

with your IDs, you get:

"select * from info WHERE `id` IN ('1,2,3,4,5')"

...which treats your set of IDs as a single string instead of a set of integers.

Get rid of the single-quotes in the IN clause, like this:

"select * from info WHERE `id` IN ($ids)"

Also, don't forget that you need to check for SQL Injection attacks. Your code is currently very dangerous and at risk of serious data loss or access. Consider what might happen if someone calls your web page with the following URL and your code allowed them to execute multiple statements in a single query:

http://www.example.com/myfile.php?theurl=1);delete from info;--
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

+1 I think you should add the obligatory warning of using $ids = $_GET['theurl'] directly
This answer is unfortunately vulnerable to SQL injection
3

You can also try FIND_IN_SET() function

$SQL = "select * from info WHERE FIND_IN_SET(`id`, '$ids')"

OR

$SQL = "select * from info WHERE `id` IN ($ids)"
Improve this answer

3 Comments

This answer is unfortunately vulnerable to SQL injection
@flaviut you are assuming the ids var isn't sanitized
doing this properly using mysqli_prepare is free, and does not depend on both writing the sanitation code correctly (many times it is wrong) and making sure no one accidentally forgets to sanitize data in future code (impossible).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.