Home/ Questions/Q 6627925
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T22:04:15+00:00

So, I have this PHP code: $tabid = getTabid($module); if($tabid==9) $tabid=9,16; $sql = select

  • 0

So, I have this PHP code:

$tabid = getTabid($module);
if($tabid==9)
  $tabid="9,16";
$sql = "select * from field ";
$sql.= " where field.tabid in(?) and";

Now, how exactly does the ? work here? I vaguely understand that in PHP, ?: is a ternary operator, but the colon isn’t being used here, and ? is part of a Postgresql query anyway.

The final query looks a bit like this:

select * from field where field.tabid in('9,16')

So, the question mark is replaced by the contents of $tabid, how does that happen?

The issue is that ('9,16') is not accepted by Postgres as an integer, it needs to be written like (9,16), so how do I do that? How do I remove the apostrophes?

Thanks a lot for the help, have a good day!

edit: More code was requested:

$sql.= " field.displaytype in (1,2,3) and field.presence in (0,2)";

followed by if statements, I think this is the relevant one:

if($tabid == 9 || $tabid==16)
{
    $sql.= " and field.fieldname not in('notime','duration_minutes','duration_hours')";
}
$sql.= " group by field.fieldlabel order by block,sequence";
$params = array($tabid);
//Running the query.
$result = $adb->pquery($sql, $params);

Oh, I think I see now, I think it is a place holder, a part of the pquery function:

function pquery($sql, $params, $dieOnError=false, $msg='') {
  Stuff
  $sql = $this->convert2Sql($sql, $params);
  }

Now, this is where it seems to get fun, here’s part of the convert2Sql function:

function convert2Sql($ps, $vals) {
   for($index = 0; $index < count($vals); $index++) {   
        if(is_string($vals[$index])) {
            if($vals[$index] == '') {
                $vals[$index] = "NULL";
            }
            else {
                $vals[$index] = "'".$this->sql_escape_string($vals[$index]). "'";
            }
        } 
    }
    $sql = preg_replace_callback("/('[^']*')|(\"[^\"]*\")|([?])/", array(new PreparedQMark2SqlValue($vals),"call"), $ps); 

    return $sql;
}

The problem I think lies in the
$vals[$index] = "'".$this->sql_escape_string($vals[$index]). "'"; line.
The sql_escape_string($str) function just returns pg_escape_string($str).

Sorry for the super long edit, but I still haven’t been able to get past I am afraid, thanks for all the help!

Edit 2: I fixed the problem, all it took was changin $tabid = "9,16" to $tabid = array(9,16). I have no idea why, oh and I also had to remove the group by statement because Postgresql requires every field to be placed in that statement.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    it is a positional parameter for a prepared statement

    See: http://php.net/manual/en/function.pg-prepare.php

    You don’t actually ‘remove’ the quotes, you have to pass SQL array of ints instead of a string value into the parameter when doing pg_execute

    An example: 

    // Assume that $values[] is an array containing the values you are interested in.
$values = array(1, 4, 5, 8);

// To select a variable number of arguments using pg_query() you can use:
$valuelist = implode(', ', $values);

// You may therefore assume that the following will work.
$query = 'SELECT * FROM table1 WHERE col1 IN ($1)';
$result = pg_query_params($query, array($valuelist))
     or die(pg_last_error());
// Produces error message: 'ERROR: invalid input syntax for integer'
 // It only works when a SINGLE value specified.

    Instead you must use the following approach:

    $valuelist = '{' . implode(', ', $values . '}'
$query = 'SELECT * FROM table1 WHERE col1 = ANY ($1)';
$result = pg_query_params($query, array($valuelist));
    • 0