Ok, I’ve spent entirely too long trying to add an if statement within a TSQL query string. Any help would be appreciated. Here’s the string with a syntax error.
$sql = "SELECT tblCasesLawyers.CaseID, tblCasesLawyers.PLAINTIFFLASTNAME + ', ' + tblCasesLawyers.PLAINTIFFFIRSTNAME AS PatientName, tblProcedures.ApplicationSubmitted, tblProcedures.CPTCode, tblProcedures.ProcedureDescription, tblCenters.CenterID, tblProcedures.ProcedureDate, tblProcedures.ProcedureStatus, tblProcedures.LeinAmount, tblProcedures.DatePaid
FROM (tblCasesLawyers INNER JOIN tblCenters ON tblCasesLawyers.Center_ID__C = tblCenters.CenterID) INNER JOIN tblProcedures ON tblCasesLawyers.CaseID = tblProcedures.CaseID
WHERE (((tblCenters.CenterID)={$_SESSION['center']}) AND (tblProcedures.ApplicationSubmitted >= 2012-05-01)".if !empty($_GET['search']) echo ('AND tblCasesLawyers.PLAINTIFFLASTNAME='.{$_GET['search']}).")
";
Thank you all for chiming in. I’m relatively new at this but attempted to prevent injection using the following:
function ms_escape_string($data) {
if ( !isset($data) or empty($data) ) return '';
if ( is_numeric($data) ) return $data;
$non_displayables = array(
'/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
'/%1[0-9a-f]/', // url encoded 16-31
'/[\x00-\x08]/', // 00-08
'/\x0b/', // 11
'/\x0c/', // 12
'/[\x0e-\x1f]/' // 14-31
);
foreach ( $non_displayables as $regex )
$data = preg_replace( $regex, '', $data );
$data = str_replace("'", "''", $data );
return $data;
}
function sanitize($data){
$data=trim($data);
$data=htmlspecialchars($data);
$data=ms_real_escape_string($data);
return $data;
}
$search = sanitize($_GET['search']);
I think that you need a single line if here :
As stated in some comments concatenating a query in this way could lead to SQL Injection, to avoid SQL injection you can use prepared statements and parameterized queries, see this question to know the best way to avoid SQL injection 😉 .
Thanks
Went with