Escaping Variables / Arrays in MySQL Strings

d'Anconia · 12-02-2012, 11:49 PM

Okay so I am currently attempting to make a mock-up of an eCommerce site and I noticed that on more than one occasion I have had issues trying to figure out the correct syntax for using arrays (multi-dimensional or otherwise) within MySQL query strings. Specifically the use of quotes (single or double) causes some confusion for me.

I want to put together a cart in the $_SESSION namespace that should have this form:
$_SESSION['cart']['item_' . $n], where $n starts from 0 and increases by one during every instance of the loop. For every 'item_n' there will be an associated 'item_n_qty' that holds the associated quantity in the cart for each item.

If I wanted to include this multi-dimensional array in a MySQL query, what is the best way to do this? Currently I have the following:

PHP Code:


			
$index = "item_" . $m;
                $item_quantity = "item_" . $m . "_qty";
                $cart = 'cart';
                $current_cart_query = "SELECT product_id, product_name, price, product_description, image_path, category 
                    FROM products WHERE product_id = $_SESSION[$cart][$index] LIMIT 1"; //need to do a join? why am I using product_id?

And that query is giving me errors when I try running it in my PHP script. Any help would be appreciated and I think the issue has to do with the fact that typically an array element name has to be in quotes, but when I tried that earlier ('cart' instead of $cart) NetBeans identified it as incorrect code.

d'Anconia · 12-03-2012, 01:45 AM

Okay so I figured out the problem. Apparently I have to use the curly braces around the entire $_SESSION variable. My final string that worked is as follows:

PHP Code:


			
$current_cart_query = "SELECT product_id, product_name, price, product_description, image_path, category 
                    FROM products WHERE product_id = {$_SESSION['cart'][$index]} LIMIT 1";

Just figured I'd let people know how I got it to work in case someone runs into the same problem.

PoorBoy · 12-03-2012, 02:41 AM

Thanks for sharing. We can also solve it by using concatenation operator like so..

PHP Code:


			
$current_cart_query = "SELECT product_id, product_name, price, product_description, image_path, category 
                    FROM products WHERE product_id = ". $_SESSION['cart'][$index] ." LIMIT 1";

Fou-Lu · 12-03-2012, 03:43 PM

Yep, in double quotations if you have a complex type you should use braces around them. A single dimension won't require them, but multiple dimensions will as the parser is ungreedy within the double quotes. So it would resolve first $_SESSION['cart'], then take the result (which is Array) and offset the [$index]. So it attempts to write it as Array[$index] which of course will not dereference to any valid value as its not a variable. The alternative above is the approach I would use, although typically I just use printformatting so I don't need to string concat. Another alternative is to use prepared statements and bind the variables.