We Keep Coding

PHP Using a string inside string [duplicate]

This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
I want to change the 401 in the code below to a string based on a value from my website like
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = '$jeff''
but I'm getting
Parse error: syntax error, unexpected '$jeff' (T_VARIABLE) in /public_html/wp-content/themes/real-spaces/single-property.php on line 384
Here's the code that works:
if(! $conn2 )
{
die('Could not connect: ' . mysql_error());
}
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = 401' ;
mysql_select_db('fncletvn_wp389');
$retval2 = mysql_query( $sql2, $conn2 );
if(! $retval2 )
{
die('Could not get data: ' . mysql_error());
}
while($row2 = mysql_fetch_array($retval2, MYSQL_ASSOC))
{
echo "{$row2['post_content2']} <br> " ;
}
I'm very new to programming so plase help :D
By the way, what I'm trying to do is pull out the value of post_content2 from the database based on the ID of the current post which is $jeff

Simply use quotes like this:
$sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = '$jeff'";
This will create sql string as:
SELECT post_content2 FROM wp_posts WHERE ID = '401'
When $jeff=401
But as per your question, if you want like this:
SELECT post_content2 FROM wp_posts WHERE ID = 401
Just use:
$sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = $jeff";
FYI: Single quotes will not replace your PHP variable with value, instead it prints the variable as it is. Double quotes will do the replacement.

Either you can use the answer given by #myway or you can use mysql pre pared statements. I will recommend you to use pre-pared statements since they are secure and re usable.

Note that if you use $sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = $jeff";$sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = $jeff"; as indicated by previous commenter, your $jeff must be quoted.
Just be sure to first apply mysql_escape_string($jeff) beforehand.
Also, I now that you did not ask about this, but I absolutely have to warn you that the mysql_* functions are depreciated and you should never use them except when modifying existing code--in which case you should be actively changing your code to the mysqli_* variants.

You're also missing the concatenation operator in your code: $sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = '$jeff''
PHP's concatenation operator is ..
Use it like this:
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = '.$jeff;
If $jeff is a string, not an int, you will need to encose it in quotes like this:
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = "'.$jeff.'"';
However if $jeff is supplied by the client in any way, you should use prepared statements to protect against mysql injection.
What PHP was trying to tell you with Parse error: syntax error, unexpected '$jeff' (T_VARIABLE), is that it didn't know why there was a variable next to a string in an assignment operation. Nor what you were trying to do with it. The concatenation operator indicates that you want that variable joined to the string next to it as if it were also a string. Which becomes an important distinction in loosely typed languages like PHP.

mysql_fetch_array error when using WHERE clause

Im using:
$query = "SELECT * FROM mydb WHERE condition = New ORDER BY id ASC";
but i get this error:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/mydb.php on line 84
however if i remove the where clause it works perfectly, can anyone point me in the right direction?
Is the Where clause not usable when doing a fetch array?
Thanks for any help.
edit: error message I've got:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'condition = 'New' ORDER BY id ASC'

always run all your queries this way (at least until you adopt some intelligent lib for this)
$query = "SELECT * FROM mydb WHERE condition = New ORDER BY id ASC";
$result = mysql_query($query) or trigger_error(mysql_error()." in ".$query);
just because not a single soul in the world can tell what's wrong with your query, but database itself. So, you have to ask it if there were any trouble. Not stackoverflow community (they have no idea anyway) but your db server. That's the point.
Note that you have to be able to watch errors occurred, either on-screen or in the error log.
After getting error message about syntax error you have to check syntax of the displayed query. If there are no visible errors, refer to http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html in case there are reserved word unescaped in your query. condition seems is. So
$query = "SELECT * FROM mydb WHERE `condition` = New ORDER BY id ASC";
will be solution

You appear to be missing quotes around the word "New".
$query = "SELECT * FROM mydb WHERE condition = 'New' ORDER BY id ASC";
Also, are you passing $query to mysql_fetch_array, or did you just not mention the mysql_query call in your question?

Since you have tried adding single quotes to the ('New'),
kindly ensure that the condition is a column in the table you are querying and
that mydb is a table in your database (and not your database name)!

You have to quote the string.
$query = "SELECT * FROM mydb WHERE `condition` = 'New' ORDER BY id ASC";
Edit:
condition is a reserved word.

Is New one of your columns or just a value?
Try this:
$query = "SELECT * FROM mydb WHERE condition = 'New' ORDER BY id ASC";

$query = "SELECT * FROM mydb WHERE condition = 'New' ORDER BY id ASC";
$result = mysql_query( $query );
while( $row = mysql_fetch_array( $result ) {
// use $row
}

Never assume that a query will work - expect errors and check for them before processing any results.
$query = 'SELECT * FROM `mydb` WHERE `condition` = "New" ORDER BY `id` ASC';
$result = mysql_query( $query );
if( !$result ){
// Query Failed. You can access the error details with mysql_error()
}elseif( mysql_num_rows( $result )==0 ){
// Query Returned No Results
}else{
while( $r = mysql_fetch_assoc( $result ) ){
// Do whatever you want with the row, which is $r
}
}

PDO Database access WHERE title = $title

I'm trying to learn to use PDO instead of MySQLi for database access and I'm having trouble selecting data from the database. I want to use:
$STH = $DBH->query('SELECT * FROM ratings WHERE title=$title ORDER BY date ASC');
$STH->setFetchMode(PDO::FETCH_ASSOC);
while($row = $STH->fetch()) {
echo $row['title'];
}
but I'm getting this error:
Fatal error: Call to a member function setFetchMode() on a
non-object in
/home/owencont/public_html/owenstest.com/ratemystudents/index.php
on line 6
If I take out the WHERE statement it works fine. How can I select a row based on if it's value matches a variable?
Thanks,
Owen

It's likely a SQL syntax error, because you forgot to quote $title. It ended up as bareword in the query (also not even interpolated as string), resulting in an error. And your PDO connection was not configured to report errors. Use ->quote() on arguments before the ->query():
$title = $DBH->quote($title);
$STH = $DBH->query("SELECT * FROM ratings WHERE title=$title ");
Or better yet, use parameterized SQL:
$STH = $DBH->prepare("SELECT * FROM ratings WHERE title=? ");
$STH->execute(array($title));

Take a look at PDO::prepare and PDOStatement::execute. The safest way to add user content to a query is to prepare a basic statement and bind the parameter to it. Example (note the question mark in the SQL statement):
$STH = $DBH->query('SELECT * FROM ratings WHERE title=? ORDER BY date ASC');
$STH->execute( array( $title ) );
while( $row = $STH->fetch( PDO::FETCH_ASSOC ) );

Make PDO throw errors so you can see what exactly goes wrong. See How to squeeze error message out of PDO?
You are probably missing quotes around $title but this scenario really calls for prepared statements instead.

remove the variable out of the sql statement because its a php variable
$STH = $DBH->query('SELECT * FROM ratings WHERE title=' . $title . 'ORDER BY date ASC');

Use double quotes instead of single quotes as a parameter of the query-method.
The reason you're getting this error is because the query-method fails and so the $STH object isn't created. You should implement some error handling.

mysqli query not working when variable inserted

I need an extra pair of eyes! I have a super-simple query:
$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = 'the-test-post' LIMIT 1");
$row = $result->fetch_array();
and this gives me the post_id. However, if I insert a variable for post_uri, the result is empty. Ways I tried of which none worked:
$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = '".$post_uri."' LIMIT 1");
$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = ".$post_uri." LIMIT 1");
$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = $post_uri LIMIT 1");
I have similar query on another page working just right, so that confuses me even more. Help appreciated.

You are slapping a variable directly into a query. This is error prone (as you are discovering) and has a high risk that you'll fail to sufficiently sanitise it (and thus cause an SQL injection vulnerability).
Use the PDO layer and bound variables.

If you put that query in a string and echo it, you can check what happens. There might be something wrong with that variable!
echo "SELECT post_id FROM blog_posts WHERE post_uri = '".$post_uri."' LIMIT 1";
And so on. I'll bet there's either nothing, or something you're not expecting in that $post_uri, because it shouldn't matter to mysql how you've build your query.

I had a similar problem. Your syntax looks fine. Try to use a simple version of the
db connection call. Below are compared the version that worked (above) to the one
that failed (below).
$sqli = new mysqli('localhost', 'my_user', 'my_password', 'my_db');
$mysqli->real_connect('localhost', 'my_user', 'my_password', 'my_db')
I had use a variable in my query and had a $mysqli->real_connect db connection.
That would not work. But when I switched to the new mysqli type I was surprised
that the variable query did work.
I hope that works out for you.

SQL Syntax Error - PHP/MySQL

Can anyone tell me what's going on here. I'm not sure why this code is not working and throwing the following error:
You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND role != 7 AND role != 4' at line 3
$sql = 'SELECT * FROM tblusers
INNER JOIN permissions on tblusers.usrID = permissions.user_id
WHERE permissions.team_id='.$team_id.' AND role != 7 AND role != 4';
require("connection.php");
$result = mysql_db_query($DBname,$sql,$link) or die(mysql_error());
while($row = mysql_fetch_assoc($result))
{
$message->addTo($row['usrEmail'], $row['usrFirst'] . ' ' . $row['usrLast']);
}
I know that the variable $team_id is working fine, because if I "echo" it, it works fine. Any ideas on what I'm doing wrong here? Thanks!

echo out $sql, try the statement in the database or paste it here so we can debug it. I initially suspected that you needed quotes around the variable but you probably don't since its a number.
Do both tables have a row column or does just one table have it?

I get that exact error message if $team_id is empty - are you sure it's set at that point in the code?

By using prepared statements you can avoid quotes problems.
$dbConn = new mysqli("127.0.0.1", "username", "password", "db");
$stm = $dbConn->prepare("SELECT * FROM tblusers WHERE team_id = ?");
$stm->bind_param("i", $team_id); /* 'i' for an integer */
$stm->execute();

role field is ambiguous try tblusers.role