This project I'm working on is going great. PHP is the greatest thing
since sliced bread. I've already connected to the MySQL database,
retreived and sent data, displayed the data using a foreach loop and
added the feature of resorting and updating the data. The next feature
I want to add to my page is to allow the user to send his own MySQL
select statement. Most of the statement never changes, so I put it on
the page as plain HTML. The user can fill in textboxes for the columns
he wants, the order if he wants, limit if he wants, etc. Upon submit,
the server script takes the parts of the select statment that don't
change and combines them with the user's input from the textboxes.
Now, here's the problem. Let's say the user wants to run the query
select abc from tablename where xyz="bananas";
If the user puts the quotes around the word bananas, the query will be
run as
....xyz=\"banan as\" and will return an error from MySQL.
If the user does not put quotes around bananas, MySQL returns
no such column name, bananas
I've considered replacing the textboxes with pull-down combo boxes, but
that REALLY lowers the number and complexity of queries the user can
perform.
Thank you in advance for your kind, insightful, accurate, useful
suggestions.
since sliced bread. I've already connected to the MySQL database,
retreived and sent data, displayed the data using a foreach loop and
added the feature of resorting and updating the data. The next feature
I want to add to my page is to allow the user to send his own MySQL
select statement. Most of the statement never changes, so I put it on
the page as plain HTML. The user can fill in textboxes for the columns
he wants, the order if he wants, limit if he wants, etc. Upon submit,
the server script takes the parts of the select statment that don't
change and combines them with the user's input from the textboxes.
Now, here's the problem. Let's say the user wants to run the query
select abc from tablename where xyz="bananas";
If the user puts the quotes around the word bananas, the query will be
run as
....xyz=\"banan as\" and will return an error from MySQL.
If the user does not put quotes around bananas, MySQL returns
no such column name, bananas
I've considered replacing the textboxes with pull-down combo boxes, but
that REALLY lowers the number and complexity of queries the user can
perform.
Thank you in advance for your kind, insightful, accurate, useful
suggestions.
Comment