My PHP code is:
$query="select company_name from company_names where cik=".$cik;
Which on printing gives
select company_name from company_names where cik=0001001871
I would like to get the output like
select company_name from company_names where cik='0001001871'
How do I add the single quotes in PHP?
Simply:
$query = "select company_name from company_names where cik = '$cik'";
Or:
$query = "select company_name from company_names where cik = '" . $cik . "'";
Notice that to prevent SQL Injection, see this:
Best Way to Prevent SQL Injection
More Info:
http://php.net/manual/en/language.types.string.php
$query="select company_name from company_names where cik='".$cik."'";
Related
Hello i have this simple query
$query = "SELECT id FROM `client` where name= ".$user_name;
Now the query is printed
select id from client where name = Bob;
when in fact it should be
select id from client where name = 'Bob';
how can i add single quotes in the php variable?
I warned you and you are fine to sql injection then just try this.
$query = "SELECT id FROM `client` where name= '".$user_name."'";
I have a problem in add value in SELECT query.
$sql=("SELECT `image` FROM `testtable`");
The output: 123.jpg
But I want output: 127.0.0.1/home/galery/123.jpg
So I tried:
$path='127.0.0.1/home/galery/';
.........
$sql=("SELECT $path+`image` FROM `testtable`");
But it's not working.
There are two ways to accomplish this.
Method 1:
Use string concatenation to join the path to the result from the SQL:
$path = '127.0.0.1/home/galery/';
$sql = "SELECT `image` FROM `testtable`";
// Run the query...
$result = $path . $sql;
In php, string concatenation is performed with the . operator. Also see here.
Method 2:
The second method is via the CONCAT SQL function:
$sql = "SELECT CONCAT('" . $path . "', `image`) FROM `testtable`";
Or:
$sql = "SELECT CONCAT('{$path}', `image`) FROM `testtable`";
See this question for the difference between these options.
$sql=("SELECT CONCAT('$path',`image`) FROM `testtable`");
Use concatenation like below....
$sql=("SELECT".$path."+image FROM test")
Here, text in double quotes are string
I am having a problem with this simple sql query:
<?php
require_once('../../Connections/tohoshows.php');
$show ='gothaf';
mysql_select_db($database_tohoshows, $tohoshows);
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
$getShows = mysql_query($query_getShows, $tohoshows) or die(mysql_error());
$row_getShows = mysql_fetch_assoc($getShows);
$totalRows_getShows = mysql_num_rows($getShows);
mysql_free_result($getShows);
?>
When I use the string directly in the WHERE clause like this
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='gothaf'";
I get a result. When I use the variable instead, I get no data! I am a novice and I can't figure out what am I doing wrong. Any help would be appreciated.
Thank you!
you getting no date because you have extra space betwee the quotes,
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
^ HERE ^
which will then be parsed into
SELECT * FROM toho_shows WHERE toho_shows.show =' gothaf '
remove it and it will work
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='". $show. "'";
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
i have a problem with php in the following:
$sql = 'SELECT name FROM chiled WHERE `im` LIKE $id ';
$query = mysql_query( $sql );
$a=mysql_fetch_row($query);
echo $a[0];
there is error in mysql_fetch_row($query);
but if i do the following :
$sql = 'SELECT name FROM chiled WHERE `im` LIKE 1111 ';
$query = mysql_query( $sql );
$a=mysql_fetch_row($query);
echo $a[0];
it is working and prints the name
can you please tell me what is wrong?
Single quotes in PHP doesn't evaluate embedded variables - you need to use double quotes to do that. (See the "Single quoted" section of the PHP Strings manual page for more info..)
i.e.: $sql = "SELECT name FROM chiled WHERE 'im' LIKE $id ";
Or better still...
$sql = 'SELECT name FROM chiled WHERE im="' . mysql_real_escape_string($id) . '"';
(As you're not using the % in your like, you're presumably not attempting to do any form of pattern matching.)
Additionally, I'd recommend a read of the existing Best way to stop SQL Injection in PHP question/answers.
Are you sure you want to be using LIKE? It looks more to me like you want to see if im = $id. Also, make sure you're escaping your variables before using them in the query.
Edit
If you DO want to us LIKE, you probably want something like this:
$sql = "SELECT name FROM chiled WHERE `im` LIKE '%$id%' ";
which will find anywhere that the string $id is found in the im column.
You need to quote the variable after LIKE, like this:
$sql = "SELECT name FROM chiled WHERE im LIKE '$id'";
$query = mysql_query($sql);
$a = mysql_fetch_row($query);
echo $a[0];
// ....
Beside, you are using single quotes, Therefore, $id is not replaced for its value. Your query look like this:
SELECT name FROM chiled WHERE im LIKE $id;
$sql = "SELECT name FROM chiled WHERE `im` LIKE '$id' ";
change to double quotes - http://php.net/manual/en/language.types.string.php
Whenever I try to perform my query, It gives me an unknown column error, because it is using my variable as the column name.
essentially
$search="lname";
$term="asdas";
(both of those are variables from a form on another page)
I run this:
if (isset($term))
{
$query = "SELECT * FROM test
WHERE $search = $term ";
}
else
{
$query = "SELECT * FROM test";
}
echo $query;
$result=mysql_query($query) or die(mysql_error());
and then I get this as my error:
Unknown column 'asdas' in 'where clause'
You need to enclose the search term in single quotes(also use mysql_real_escape_string to avoid any issues with quotes in the search string.).
i.e:
if (isset($term))
{
$query = "SELECT * FROM test WHERE $search = '" . mysql_real_escape_string($term) . "' ";
}
You need to quote it.
if (isset($term))
{
$query = "SELECT * FROM test
WHERE $search = '$term' ";
}
else
{
$query = "SELECT * FROM test";
}
echo $query;
$result=mysql_query($query) or die(mysql_error());
Other comments
It is always better to use parameterized queries if the driver supports it. It will prevent SQL injection. As it stands, someone could send in a string "' or ''='" and the query turns out to be
SELECT * FROM test WHERE col1 = '' or ''=''
which is really benign but unexpected behaviour. If the string contains single quotes, it also breaks your query (input is "o'neil")
SELECT * FROM test WHERE col1 = 'o'neil' # << unmatched quotes
So, at the very least use mysql_real_escape_string if you cannot use parameters, i.e.
$query = "SELECT * FROM test
WHERE $search = '" . mysql_real_escape_string($term) . "' ";
You need to quote your $term parameter:
// protect from trivial sql injection attacks.
$term = mysql_real_escape_string("adas");
$query = "SELECT * FROM test
WHERE $search = '$term'";
You have to surround the term value with quotes:
SELECT *
FROM test
WHERE lname='asdas'
otherwise any SQL server out there will think asdas is a field name and try to find it in the table.
Add ' around your columns
$query = "SELECT * FROM test WHERE $search = '$term' ";
you need to put single quotes around $term so that the SQL thinks it's a string
put single quote string always be quoted. Do not forgot use mysql_real_escape_sring()
$query = "SELECT * FROM test
WHERE $search = '$term' ";
Put single quotes around $term
if (isset($term))
{
$query = "SELECT * FROM test WHERE $search = '$term'";
}
else
{
$query = "SELECT * FROM test";
}
echo $query;
$result=mysql_query($query) or die(mysql_error());