[SOLVED]active record help

sasori · January 6, 2011, 10:10am

I have a variable named $introid and I assigned the value as




$introid = Yii::app()->request->getQuery('introid');

now i have the query




$sql = "SELECT WSEmailAddress FROM wsmembers AS w, wsmemberinvites AS wi

WHERE w.MemberShipID = (SELECT IntroducingMemberID WHERE IntroducingMemberID = $introid)";

and I am getting this error




CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE IntroducingMemberID = 1)' at line 2

I tried wrapping the $intro id var with apostrophes but it didn’t helped




$sql = "SELECT WSEmailAddress FROM wsmembers AS w, wsmemberinvites AS wi

WHERE w.MemberShipID = (SELECT IntroducingMemberID WHERE IntroducingMemberID = '$introid')";

what should I do ?

mikl · January 6, 2011, 10:37am

At first: [color="#FF0000"]Never ever use unfiltered user input in your SQL queries! [/color](hope this is formatted prominent enough )

You always should use parameter binding if you want to use user input (which includes request parameters) in your db query. Otherwhise you open a big door for SQL injection attacks.




$command=Yii::app()->db->createCommand('SELECT .... WHERE IntroducingMemberID=:introid');

$command->bindValue(':introid',Yii::app()->request->getQuery('introid'));

alex-w · January 6, 2011, 11:59am

You haven’t specified a table to select from in the subquery.

sasori · January 6, 2011, 12:45pm

daemn, i forgot lol, thanks , now i got another error after fixin that




mail() [<a href='function.mail'>function.mail</a>]: SMTP server response: 550 5.1.3 &lt;8&gt;... Recipient address does not conform to RFC-2821 syntax

I’ll try to tweak more

sasori · January 6, 2011, 12:48pm

problem fixed, I also forgot to assign the result to a variable XD

tri · April 14, 2020, 10:08am