Dak Dak - 4 months ago 12
MySQL Question

PHP: Run a mysql_query statement containing a string, but the string contains a string set in an included file that is called before the string is set

I have a PHP file included in the first line of my main PHP script like this:

// Include obfusctated MySQL queries
include "../../secure_storage/mysql_queries.php";

// $user_id stores the cookie as a variable. The cookie contains the user ID
$user_id = $_COOKIE['storerun_user_id'];

// Query the database to get the user's account information
$account_query = mysql_query($account_query_sql);

The included PHP file contains this line of code:

$account_query_sql = "SELECT `first_name`, `last_name`, `email`, `password`, `referral_link`, `street_address`, `floor_apartment_number`, `notes`, `ecocash_number` FROM `users` WHERE `user_id` = '$user_id'";

Reason being that I'm obfuscating SQL queries and placing them in a directory away from the root on the server.

The problem is that the included file contains an SQL query containing $user_id but the string is only set after the file is included. Any ideas on how to use my setup and be able to run the mysql_query? I've been trying to figure this out in my head all day on this. Surely there's a way to do this.


Dak, I wouldn't worry about hiding your sql queries. However, if you do want to do this, one could add a string replace statement just prior to your query database statement and edit your included file to use 'search_item', e.g.:

str_replace('search_item', $user_id, $account_query_sql);

and included file would define $account_query_sql like below.

$account_query_sql = "SELECT `first_name`, `last_name`, `email`, `password`, `referral_link`, `street_address`, `floor_apartment_number`, `notes`, `ecocash_number` FROM `users` WHERE `user_id` = 'search_item'";