I am using the following SQL query in MySQL.
"SELECT SUBSTRING(invoices.dateCreated, 1, 7) AS month,
account.name AS accountName,
account.id AS accountId,
invoices.invId AS invoiceId,
productType.title AS productTitle,
sum(invoiceItems.cost*invoiceItems.quantity) AS totalValue,
sum(invoiceItems.quantity) AS totalQuantity
FROM account LEFT JOIN invoices ON invoices.accountId = account.id
LEFT JOIN invoiceItems ON invoices.id = invoiceItems.invoiceId
LEFT JOIN productType ON invoiceItems.productTypeId = productType.id
WHERE invoices.statusId != 'S62FD452B1D4'
GROUP BY invoiceItems.productTypeId, invoices.invId
ORDER BY month DESC, accountName ASC, invoices.id ASC
LIMIT ".$start_limit.", ".$records_per_page.";"
This works fine with out the section to limit the query. However when I add the limit section, the variables $start_limit & $records_per_page have no value, whereas if i jig the lines around the variables are making it into the query. this is also the case when I change the quotation marks around the variables e.g to '.$start_limit.'.
However the query does not seem to function with this.
Any advice or help as to what I am doing wrong would be greatly appreciated.
The values for the two variables are 100% definitely being passed in. and in this example they are simply, start limit = 0 and end limit (per page) = 50.
I have checked and 50 is well below the limit.
The problem is that when I see the SQL error pop up it says:
SELECT SUBSTRING(invoices.dateCreated, 1, 7) AS month,
account.name AS accountName,
account.id AS accountId,
invoices.invId AS invoiceId,
productType.title AS productTitle,
sum(invoiceItems.cost*invoiceItems.quantity) AS totalValue,
sum(invoiceItems.quantity) AS totalQuantity
FROM account LEFT JOIN invoices ON invoices.accountId = account.id
LEFT JOIN invoiceItems ON invoices.id = invoiceItems.invoiceId
LEFT JOIN productType ON invoiceItems.productTypeId = productType.id
WHERE invoices.statusId != 'S62FD452B1D4'
GROUP BY invoiceItems.productTypeId, invoices.invId
ORDER BY month DESC, accountName ASC, invoices.id ASC
LIMIT , ;
and if i change things around to see if the variables are there we do get:
SELECT SUBSTRING(invoices.dateCreated, 1, 7) AS month,
account.name AS accountName,
account.id AS accountId,
invoices.invId AS invoiceId,
productType.title AS productTitle,
sum(invoiceItems.cost*invoiceItems.quantity) AS totalValue,
sum(invoiceItems.quantity) AS totalQuantity
FROM account LEFT JOIN invoices ON invoices.accountId = account.id
LEFT JOIN invoiceItems ON invoices.id = invoiceItems.invoiceId
LEFT JOIN productType ON invoiceItems.productTypeId = productType.id
WHERE invoices.statusId != 'S62FD452B1D4'
GROUP BY invoiceItems.productTypeId, invoices.invId
ORDER BY month DESC, accountName ASC, invoices.id ASC
LIMIT '.0.', '.50.' ;
neither of these values are user supplied. so thats not too much of a problem. I am unsure as to why the variables are behaving unusually in this 1 query from hundred similar 1s ive have done that do the same thing fine. the only difference in this one is the number of groupings and orderings. would this make a difference?
If
$start_limitand/or$records_per_pageare unpopulated you’re going to have issues. However, if you default them to standard values before placing them in the query if you wish:Then go about your business:
I should note though that if either (or both) are these are user-supplied (or the user has any opportunity to change these values) I would sanitize them first before placing them in the query. e.g.
Then you’re making sure
$start_limitdoesn’t contain anything threatening like;SELECT password FROM admin_table;. (SQL Injection)Your question is a bit ambiguous though, so if I’m off track please update the question and I will do the same with my answer