So, I wanted to use two params on the url to query from my server but I'm not being able to do it.
The url is : localhost/database/getTable?sLang=English&sId=1
The php Script is:
<?php
if(isset($_REQUEST['sLang']))
if(isset($_REQUEST['sId']))
{
$con = mysql_connect("blabla","blablabla","blablabla");
mysql_query("SET NAMES UTF8");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("database", $con);
$sLang = $_REQUEST['sLang']; //valor customer ID = valor requisitado
SdID = $_REQUEST['sID']
$result = mysql_query("SELECT * FROM table WHERE language = '$sLang' AND id = '$sId" ) or die('Errant Query:'); //escolher da tabela comments onde valor da coluna id = Valor reuisitado
while($row = mysql_fetch_assoc($result))
{
$output[]=$row;
}
header('content-type: application/json; charset=utf-8');
print(json_encode($output, JSON_UNESCAPED_UNICODE));
mysql_close($con);
}
else
{
$output = "not found";
print(json_encode($output));
}
?>
I'm just returning the sLang Values and the url changes to : localhost/database/getTable?sLang=English
How can I query the database using the two params sLang and sId?
Best regards
You have a missing $ and missing semi-colon for SdID = $_REQUEST['sID']
Plus, SdID has a typo.
which should most likely read as
$sId = $_REQUEST['sID'];
which you're using in conjunction with AND id = '$sId"
Also AND id = '$sId" needs a quote AND id = '$sId'" or remove the erroneous quote.
SdID is presently being evaluated as a constant.
Another thing I noticed is the word table in ("SELECT * FROM table WHERE
An insight: If that is the DB table's actual name, it needs to be wrapped in backticks:
("SELECT * FROM `table` WHERE ...
table is a MySQL reserved word.Also, instead of:
if(isset($_REQUEST['sLang']))
if(isset($_REQUEST['sId']))
it's best to use
if(isset($_REQUEST['sLang']) && isset($_REQUEST['sId']))
{
// code
}
or
if(isset($_GET['sLang']) && isset($_GET['sId']))
{
// code
}
Using error checking would have and should have thrown you errors, as well as mysql_error() in your query, if that is your actual code that you have posted initially, should there be an edit made on your part afterwards.
1) Typo: SdID = $_REQUEST['sID'] (SdID should be $sID)
$sID = $_REQUEST['sID']
2) Coding Method: instead of nesting the if() statements like that, consider using
if(isset($_REQUEST['sLang']) && isset($_REQUEST['sId']))
3) SQL Insertion Avoidance: When loading GET or POST values into a variable, you should strip out unnecessary characters or encode the string to avoid SQL Insertion Attacks:
$sLang = preg_replace("/[^a-zA-Z0-9]+/", "", $_REQUEST['sLang'])
This will strip out anything but a-Z and 0-9 so your code can't be used to violate the inevitable SQL query.