Member Avatar for ebanbury

Hi

I have a single search field ' agent_name' in a form which is a dropdown field of data based on the concatonation of 2 fields: reg_fname and reg_lname

When I do the SELECT Query though I'm getting a bit mixed up.....

The data from reg_fname & reg_lname does not go into fullname
Also for obvious reasons I cant' compare what is selected in the field agent_name with fullname.....

But I don't know how else to go about this?

SELECT DISTINCT DEV_user_registration.reg_fname + ' ' +  DEV_user_registration.reg_lname AS DEV_user_registration.fullname 
FROM DEV_user_registration 
WHERE DEV_user_registration.reg_agent = 'Yes' 
AND DEV_user_registration_fullname = '$_GET[agent_name]' ";

Any help would be great....thank you

  • 4 Contributors
  • 9 Replies
  • 183 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by ebanbury
Member Avatar for poojavb

Is fullname alos a columnname in the table or just an alias u r giving to the concatenation of fname and lname

if it is a column name then I guess it wont go into the column else if it an alias then try below code

SELECT DISTINCT DEV_user_registration.reg_fname + ' ' + DEV_user_registration.reg_lname AS 'Fullname'
FROM DEV_user_registration
WHERE DEV_user_registration.reg_agent = 'Yes'
AND DEV_user_registration.reg_fname + ' ' + DEV_user_registration.reg_lname = '$_GET[agent_name]' ";

I guess it shud be this way

Member Avatar for ebanbury

Thanks I'll try it.
Yes it is an alias. The column fullname doesnt' actually exist.

Member Avatar for Szabi Zsoldos

Or simply you can use the CONCAT() function

Member Avatar for smantscheff

The + operator does not concatenate strings. Use Concat() instead.
And beware of SQL injection. $_GET[agent_name] is likely to get you into trouble

Member Avatar for ebanbury

Hi Yes

The CONCAT() works. Many thanks

Member Avatar for ebanbury

The $_GET is from a dropdown list of options dynamically taken form the db table and validated - so hopefully should be ok.?

Member Avatar for Szabi Zsoldos

In that case, you should escape it mysql_real_escape_string($_GET['something'])

Member Avatar for smantscheff

Unfiltered use of $_GET variables in SQL statements opens a door for SQL injection. It does not matter if the values are checked against a reference table - when it comes to checking, the harm has already been done.

Member Avatar for ebanbury

Yes I will thanks!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.