[TYPO3-english] a question about exec_SELECTquery()
Oliver Klee
typo3-german-02 at oliverklee.de
Wed Jan 7 22:27:22 CET 2009
Hi,
Luming Xing schrieb:
> I writing a FE Extension with search funtion. and I am a little confuse
> by the exec_SELECTquery().
>
> I use HTML template, this is my exec_SELECTquery().
> $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
> '*', #select
> 'tx_modatest_tabledozent', #from
> 'first_name='.$this->piVars['firstname'], #where
> *#'first_name=0', #where*
> '',
> '',
> '');
> when first_name = piVars['firstname'] , it gaves me nothing return.
> but when first_name = 0, it gaves me the whole data of that table back.
first_name is a string. So you need to quote it. In addition, you need
to escape the string to get rid of the SQL injection issue which
currently sits in your code.
This WHERE line should read:
'first_name = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr(
$this->piVars['firstname'], 'tx_modatest_tabledozent'
),
Oliver
More information about the TYPO3-english
mailing list