Home/ Questions/Q 9014575
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T03:32:33+00:00

I’m trying to do a search based on <select multiple=multiple name=chkUnr[]> I’m getting out

  • 0

I’m trying to do a search based on 

<select multiple=multiple name="chkUnr[]">

I’m getting out the values from select by running code:

 for($i=0;$i<count($_POST["chkUnr"]);$i++)
                    {
                    if($_POST["chkUnr"][$i] != "")
                    {
                        $search_country = $_POST["chkUnr"][$i];                     
                    }

            $query = "";
            $query .= "SELECT users.* FROM users";
            if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
              $query .= " LEFT JOIN online ON online.user_id = users.id";
            }
            $query .= " WHERE";
            if (isset($_POST['vip']) ? $_POST['vip'] : 0 == 1) {
             $query .= " users.vip = 1 AND";
            }
            if (isset($_POST['profile_image']) ? $_POST['profile_image'] : 0 == 2) {
              $query .= " users.profile_image = '2' AND";
            }
            if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
              $query .= " online.is_online = 1 AND";
            }
            $query .= " (id NOT IN (SELECT user_id FROM users_blocked WHERE blocked_id = '$user_id')) AND";

            $query .= " (users.user_age >= '$age_from' AND users.user_age <= '$age_to') AND";

            $query .= " (users.gender = '$gender_search') AND";

            $query .= " users.country IN ('$search_country')";

            $search_query = mysql_query($query);


            }

And i can print out the values but the problem comes when i do the SQL search.
It only pick up the first value in this case im using countries:
So when i select Sweden, Germany, Usa i can print them all out but when trying to do a SQL query only Sweden is being picked up.

I’ve tried with this code but still same result.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The problem here (and with the other answer) is that the in clause was surrounded by quotes, so that will not yield the result that we want. We need to effectively pass in an array to the query. Also your code is vulnerable to sql injection. I would strongly suggest moving to PDO/prepared statements. I added a slight protection to the countries, but that is not foolproof by any means.

    function prepareForSql($value, $key) {
    return addslashes($value);
}

array_walk($_POST["chkUnr"], "prepareForSql");
$search_country = "'" . implode("','", $_POST["chkUnr"]) . "'";

$query = "";
$query .= "SELECT users.* FROM users";
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
    $query .= " LEFT JOIN online ON online.user_id = users.id";
}
$query .= " WHERE";
if (isset($_POST['vip']) ? $_POST['vip'] : 0 == 1) {
    $query .= " users.vip = 1 AND";
}
if (isset($_POST['profile_image']) ? $_POST['profile_image'] : 0 == 2) {
    $query .= " users.profile_image = '2' AND";
}
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
    $query .= " online.is_online = 1 AND";
}
$query .= " (id NOT IN (SELECT user_id FROM users_blocked WHERE blocked_id = '$user_id')) AND";

$query .= " (users.user_age >= '$age_from' AND users.user_age <= '$age_to') AND";
$query .= " (users.gender = '$gender_search') AND";

$query .= " users.country IN ($search_country)";

$search_query = mysql_query($query);
    • 0