[TYPO3-english] a question about exec_SELECTquery()

Oliver Klee typo3-german-02 at oliverklee.de
Wed Jan 7 22:27:22 CET 2009


Hi,

Luming Xing schrieb:
> I writing a FE Extension with search funtion. and I am a little confuse
> by the  exec_SELECTquery().
> 
> I use HTML template, this is my exec_SELECTquery().
>        $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
>          '*',   #select
>          'tx_modatest_tabledozent', #from
>          'first_name='.$this->piVars['firstname'],  #where
>          *#'first_name=0',    #where*
>          '',
>          '',
>          '');
> when first_name = piVars['firstname'] , it gaves me nothing return. 
> but  when first_name = 0, it gaves me the whole data of that table back.

first_name is a string. So you need to quote it. In addition, you need
to escape the string to get rid of the SQL injection issue which
currently sits in your code.

This WHERE line should read:

'first_name = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr(
  $this->piVars['firstname'], 'tx_modatest_tabledozent'
),



Oliver


More information about the TYPO3-english mailing list