This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
This string works:
$sql = 'SELECT * FROM Bar_Info WHERE b_id=' .
$db->real_escape_string($_GET['b_id']);
However, this one does not:
$sql = 'SELECT * FROM Bar_Info WHERE BarLink=' .
$db->real_escape_string($_GET["BarLink"]);
b_id are variables and BarLink are names of bars some including hyphens. An example being: granite-city
Is there any reason the second example of code would not work?
You need to quote your SQL parameters:
$sql = 'SELECT * FROM Bar_Info WHERE BarLink=\'' . $db->real_escape_string($_GET["BarLink"]).'\'';
The first query likely works because you just use numbers, but the second one uses a string.
PS: Quoting is necessary in both cases as otherwise you are vulnerable to SQL injection.
strings in SQL queries have to be surrounded by quotation marks, while integers don't. So if "BarLink" contains strings, you'll have to add those:
$sql = 'SELECT * FROM Bar_Info WHERE BarLink="' . $db->real_escape_string($_GET["BarLink"]).'"';
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
Im trying to add an extra AND statement to my SQL query.
I work fine as:
SELECT * FROM tsv WHERE YEAR(`Reporting Date`) = 2017 AND MONTH(`Reporting Date`) = 6
But when I try to add the extra line (AND ISRC = QZERG1727327) in the end it dosen´t work any more
SELECT * FROM tsv WHERE YEAR(`Reporting Date`) = 2017 AND MONTH(`Reporting Date`) = 6 AND ISRC = QZERG1727327
It´s hard to find any solutions online, I really don´t know what to do.
Strings in SQL have to be enclosed in single quotes, so your query should be
SELECT * FROM tsv
WHERE YEAR(`Reporting Date`)=2017 AND MONTH(`Reporting Date`)=6
AND ISRC='QZERG1727327'
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
I have the following line of PHP which has connections set up and everything. It gives me the following error:
( ! ) Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\UwAmp\www\dxlphin\index.php on line 174
Here's the code:
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%'.$_POST['search'].'%'";
Any guidance? This syntax is far too complicated for me, despite my best efforts...
Thanks,
This is the better option:
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE ?";
Then prepare that statement and bind the value with the wildcards appended ("%$_POST[search]%").
If you're going to put an array with a string key inside a string like that, (which is fine, but not for inserting user data into SQL strings, as others have also pointed out) you need to omit the quotes on the key, unless you have bracketed the variable. That's why you're getting the syntax error. And the concatenation operators (.) aren't necessary because the variable is already in the string.
$string = "some text '$array[key]' and so on";
OR
$string = "some text '{$array['key']}' and so on";
But really, this is not the way to go for SQL regardless, just FYI on how to use strings.
You are mixing quotes and double quotes
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%".$_POST['search']."%'";
However, your code is very insecure. As it has been suggested in the comments, you should use Prepared Statements to avoid SQL Injections.
For example, using PDO (http://php.net/manual/en/class.pdo.php):
$pdo = new PDO(<dsn>); // Check the manual to see how to build your dsn
$query = $pdo->prepare("SELECT id, name, price, location FROM products WHERE name LIKE :searchTerm");
$query->execute([':searchTerm' => "%" . $_POST['search'] . "%"]);
You have to end the quotes with whatever you started with before concatenating. So since you started your string with ", you should end it with " before concatenating .$_P.... Your line should be:
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%".$_POST['search']."%'";
Note that its wrong to pass a variable from $_POST directly to the db to avoid SQL injection.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
So I'm a beginner with PHP, and currently, I'm studying MySQL right now, and I'm having trouble with this particular code.
$connection = mysqli_connect('localhost','root','','loginapp');
$username = $_POST['username'];
$password = $_POST['password'];
$query = "INSERT INTO users(username,password) VALUES ('$username','$password')";
$result = mysqli_query($connection,$query);
if ($result)
echo 1
else if(!$result)
echo 0;
*Basically it echoes 1 if the username and password have been transferred to the database successfully, and 0 when it doesn't.
If I remember correctly, you only use quotes ' ' for strings and when passing variables, you don't need to encase them with ' or ". So, I tried removing the quotes from the variables in VALUES($username,$password) and it starts to echo 0 instead. Can anyone provide me an explanation as to why the variables have to be enclosed with ' or " inside the VALUES so I'd have a better understanding of how it works?
You password and username fields must be strings in mysql, so you'll need to put them between quotes on the query.
I suggest you to take a look at prepared statments too, it will be a better way to do this query.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
here's my question:
What is a PHP variable/string without quotes? Below is the code I wrote and went wrong:
$email = $_POST['email'];
$query = "DELETE FROM email_list WHERE email = $email";
the correct code should be:
$query = "DELETE FROM email_list WHERE email = '$email'";
So, variable $email is not a string without quotes, even if it's what I input in the form?
Then I wrote a code in PHP:
echo($email."<br />");
echo("$email" ."<br />");
The result turned out to be same in the browser.
So why should I add another single quotes to enclose $email while it's already enclosed by double quotes?
Writing $email and "$email" outputs the same. Writing "'$email'" doesn't.
In the last case, you are adding a single quote before and after; which are needed by SQL to recognize a string.
If the creators of the SQL language had decided that strings had to be enclosed between # you would have to write "#$email#" if you want the SQL engine to recognize the string. It has nothing to do with how PHP treats or interpolates strings; it has to do with SQL.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Using LIKE in bindParam for a MySQL PDO Query [duplicate]
(2 answers)
Closed 7 years ago.
I'm trying to get PDO to return the results of a wildcard search. My code is:
$search = "%Notes%";
$result = $db->prepare("SELECT * FROM books WHERE 'name' LIKE :search");
$result->bindParam(':search', $search);
$result->execute();
while($arr = $result->fetch(PDO::FETCH_ASSOC)){
echo $arr['name'];
}
At the moment, I get a blank screen. If I run the sequel through PHPMyAdmin:
SELECT * FROM books WHERE name LIKE '%Notes%'
I get the appropriate result.
I assume it's something to do with the way I am formatting my PDO statement, I know you can't have a dynamic column name but I don't see what is going wrong?
in your query you have 'name' change that to just backticks instead of quotes
aka
$result = $db->prepare("SELECT * FROM `books` WHERE `name` LIKE :search");
you can also just remove the backticks