I am making an error with PHP SELECT WHERE code - which should be simple, but I have made no progress.
The code works with SELECT FROM line, but not with the SELECT FROM WHERE `line.
I have spent a few hours with no luck.
I have tried different syntax combinations with no progress.
$sql = "SELECT * FROM `customer_crm` WHERE `sales_agent` = '$username'";
//$sql = "SELECT * FROM `customer_crm`"; /* this works*/
Assuming that you set a default character encoding, you can use mysqli_real_escape_string to avoid SQL Injections. However, the comment to use a prepared statement is really the best advice here.
However, with mysqli_real_escape_string your SQL should work like that:
$sql = 'SELECT * FROM `customer_crm` WHERE `sales_agent` = "'.mysqli_real_escape_string($link,$username).'"';
You can even try this query
$sql = "SELECT * FROM customer_crm WHERE sales_agent = '".$username."'";
Related
SQL newb here...
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = 'myid'"); works the way I want.
$compid1 = 'myid';
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = #compid1");
does not yield the same results.
I have also tried $compid1 and various other things, but without success.
Sorry for the simple question, but the answer is still eluding me. Thanks!
UPDATE: Oh yea...the question. How can I use a prestored variable for my WHERE check?
You need to use $ before a variable, not #. And you need to put quotes around it since it's a string:
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = '$compid1'");
However, it would be best if you stopped using the mysql extension. Use PDO or mysqli, and use prepared statements with parameters. E.g. in PDO it would be:
$stmt = $conn->prepare("SELECT first_name FROM gamers WHERE comp_id = :compid");
$stmt->bindParam(':compid', $compid1);
$stmt->execute();
Enclose the string variable inside a pair of quotes.
$compid1 = 'myid';
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = '$compid1'");
I have php script like this
$query = "select * where userid = 'agusza' ";
$result = mysql_query($query) or die(mysql_error());
while($row=mysql_fetch_array($result)) {
echo $result;
}
when I execute, the result like this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where userid = 'agusza'' at line 1
But when I run that sql in sqlserver, it running well
Anybody has solution ?
$query = "select * from table_name where userid = 'agusza' ";
See the corrections I have made. You haven't used the right syntax for SELECT query
You didn't select a table using FROM. Without that, it does not know which table you are selecting data from.
You should also stop using mysql as it is deprecated. Use mysqli or PDO as they are safer.
You are also echoing the wrong variable in your while loop, try this:
while ($row = mysql_fetch_array($result) {
echo $row['column_name'];
}
$query = "select * from table where userid = 'agusza'";
Right now, you're not telling which table SQL should look in.
You should format your query like so:
select * from `TableName` where userid='agusza'
In your query below you doesnt state the database table where you should get that data using FROM
$query = "select * where userid = 'agusza' "; // instead of this
$query = "select * FROM declaredtable where userid = 'agusza' "; used this
I'm trying to turn this:
"SELECT username FROM $table WHERE username='$newName'"
Into this:
"SELECT $column FROM $table WHERE $column='$newName'"
But when I use or die() on it, I get an error saying that there is incorrect syntax near WHERE username='someNameHere'. What is the correct way to substitute the column name, assuming that's what's wrong?
Edit: Code is just this. The values should be correct as I don't see any mispellings in the error.
$sql = "SELECT $column FROM $table WHERE $column='$newName'";
$result = mysql_query($sql) or die( mysql_error());
Make your query like this
$sql = "SELECT ".$column." FROM ".$table." WHERE ".$column."='".$newName."'"
BTW this is SQLinjection vulnerable code. You should check the variables before using them in query. Also you should start using mysqli and prepared statements
"SELECT ".$column." FROM ".$table." WHERE ".$column."=".$newName;
Check to see if that works for you.
$sql = "SELECT email FROM family WHERE family = '$family'";
$result = mysql_query($sqll)or die(mysql_error());
Is this the right way to get php variable into mysql query?
That could work. However, it's vulnerable to SQL injection.
This is safer:
$sql = sprintf("SELECT email FROM family WHERE family = '%s'",
mysql_real_escape_string($family));
$result = mysql_query($sql);
If you starting with PHP/MySQL I would recommend you to check PDO or MySQLi extension as it allows you to use more smart database queries and easier to maintain.
The code has a type error
$sqll is not defined.it must be $result = mysql_query($sql).
I believe this is the reason you are looking for...(since the question is too vague which is probably because you got an error that you couldnt track)
From my knowledge best way to use like this:
if $family is not string
$sql = "SELECT email FROM family WHERE family = ".$family;
if there is a string comparison then,
$sql = "SELECT email FROM family WHERE family = '".$family."'";
'$family' no need of single quotes here
I have 2 values that I'm suppling my script - I want to search for any one of those datas. How do I write my query like this:
SELECT * FROM table WHERE id = '".$id."' or "name='".$name."';
my problem is escaping the quotes in the query.
Any help will be appreciated.
There are a few ways to do it, a lot of them frowned on but generally I would stick to using MySQLi and using the
mysqli_real_escape_string($id)
function or in OOP
$mysqli = new mysqli('host', 'user', 'pass', 'database');
$id = $mysqli -> real_escape_string($id);
$name = $mysqli -> real_escape_string($name);
$results = $mysqli -> query("SELECT * FROM table WHERE id = '{$id}' or "name='{$name}'");
You may use curly brackets to avoid confusion with escaping characters as follows:
$query = "SELECT * FROM table WHERE id = '{$id}' or name = '{$name}' ";
You may also consider using wildcards such as %$letter% to search for word anywhere in the name field as:
$query = "SELECT * FROM table WHERE id = '{$id}' or name LIKE '%{$name}%' ";
SUGGESTTION:
You should always use id fields as integer for better performance.
Use this fancy function, mayhaps? The examples have what you're looking for.
You've got an extra quote; if you want to stick with your original code (not recommended), try something like this:
$query = "SELECT * FROM table WHERE id = '".$id."' or name='".$name."'";
But really you should be using parameterised queries so that you avoid possible SQL injection security issues!
Write it as:
$name = mysql_real_escape_string($name);
$id = mysql_real_escape_string($id);
$query = "SELECT * FROM table WHERE id = '$id' or name= '$name' ";
Because you started with double quotes the single quotes are part of the query and the $vars are expanded.