0

I have some issue with a sql query using quotes with variables. (In general I use "bind" so I don't have this kind of problem). Here's the query :

$myquery = mysql_query("SELECT * FROM mytable ORDER BY id ASC WHERE var='".$var."'");

The syntax seems not to be correct, can anybody help ?

Improve this question
4
  • 1
    Please, don't concat SQL strings... Commented Oct 24, 2012 at 10:20
  • 1
    This approach is usually prone to SQL injection attacks, so it is not really advisable. "Seems not to be correct" means absolutely nothing; are you getting an error? Commented Oct 24, 2012 at 10:22
  • @lanzz, sorry not to be precise : in fact the query loads some data that I display on my webpage. But here it fails displaying this data Commented Oct 24, 2012 at 10:25
  • 2
    Your query does not work because you have swapped the order of ORDER BY and WHERE clauses, not because of the quotes. If you fix the clause order, your query will work (albeit still vulnerable to injection), so there is no point to keep asking how to fix your quotes. Commented Oct 24, 2012 at 10:38

3 Answers 3

Reset to default
2

well you can try something like this:

$query = sprintf("SELECT * FROM mytable WHERE var='%s' ORDER BY id ASC",mysql_real_escape_string($var));
$result = mysql_query($query) or die("Error:" . mysql_error());

Also note that ORDER BY is at wrong place. It is more readable and you don't need to bother with single qoute concating. Also it is safe for mysql injection. Hope this helps!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

lanzz you are right i just forgot to put mysql_real_escape_string($var) tx
1

In general you should use the parameter binding features provided by your DBD (Database Driver for Perl) or other language and driver combination. I gather that you're using PHP (though you should tag your questions accordingly to remove the ambiguity.

Here's a StackOverflow thread on How to bind SQL parameters in PHP (using PDO). Note there are limitations to the PHP PDO::bindParam method as compared to similar features in other languages. So read the linked thread for caveats.

Here's another discussion about Binding Parameters to Statements ... for Perl (but conceptually applicable to other programming languages and their SQL libraries/drivers).

Improve this answer

1 Comment

I know, I always use the bind technique. Here I wondered about that because I am working on a project that uses massively quotes for the sql query, so I wanted to make it clear
-1

You can use it like

$myquery = mysql_query("SELECT * FROM mytable ORDER BY id ASC WHERE var='$var'");
Improve this answer

4 Comments

Without evidence to the contrary, I assume $var has not been passed through mysql_real_escape_string, so this approach is prone to SQL injection. It also has the wrong ORDER BY/WHERE clause order present in the question, so it is still syntactically invalid.
The solution of @alan978 worked fine, but your expression doesn't seem to work. But just by curiosity, does it exist some query using quotes, without using sprintf-style usage ?
@lanzz , he is not told about the data, which we can assume, he is assign the value of data directly :P
@Newben thats not mysql feature check it here trans4mind.com/personal_development/phpTutorial/quotes.htm

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.