0

Got myself the following error and I can't seem to figure out why:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Gravenmoer'' at line 1

This is the SQL syntax:

$plaats = $row['plaats'];    

$query10 = "SELECT * FROM gebieden WHERE plaats = '$plaats'";

For those interested, the variable has this content: 's-Gravenmoer

Why is it giving me an error? Thanks!

Improve this question
1
  • this kind of db operaction is disaster... var_dump($query10); output is? Commented Sep 10, 2012 at 8:16

2 Answers 2

Reset to default
2

Use mysql_real_escape_string or htmlspecialchars

$plaats = $row['plaats'];    

$query10 = "SELECT * FROM gebieden WHERE plaats = '".mysql_real_escape_string($plaats)."';";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

It's because the value of $plaats contains single quote.

You're code is prone to SQL Injection. Use PDO or MYSQLI

Example of using PDO extension:

<?php
    $stmt = $dbh->prepare("SELECT * FROM gebieden WHERE plaats = ?");
    $stmt->bindParam(1, $plaats);
    if ($stmt->execute()) 
    {
      while ($row = $stmt->fetch()) 
      {
        print_r($row);
      }
    }
?>

this will allow you to search records with single quotes.

Improve this answer

3 Comments

Well, my code isn't at risk for SQL injection, because the user can only input something in this table with a selection box, they cannot enter a string or anything... That said, thanks for you code, gonna test it right away!
@user1555076 if that's the case use alternative mysql_real_escape_string($plaats)
@user1555076 if you do that, then it's fine.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.