1

I am trying to use session variable($_SESSION['asc_id'], which holds some value like "AS0027001") in an SQL statement, but it is not working. When I hardcode the value, it is providing results.

Can anyone please correct me.

MySQL query which is not working

$asc_id = $_SESSION['asc_id'];

$rs = mysql_query('select asc_lastname, asc_firstname, asc_middlename, lname_fname_dob
                     from issio_asc_workers where asc_user_type = 31
                      and asc_id  = "$asc_id"
                      and lname_fname_dob like "' .
                      mysql_real_escape_string($_REQUEST['term']) .
                      '%"  order by lname_fname_dob asc limit 0,10', $dblink);

Mysql query which is working

$rs = mysql_query('select asc_lastname, asc_firstname, asc_middlename, lname_fname_dob 
                     from issio_asc_workers where asc_user_type = 31
                      and asc_id  = "AS0027001" and lname_fname_dob like "' .
                      mysql_real_escape_string($_REQUEST['term']) .
                      '%"  order by lname_fname_dob asc limit 0,10', $dblink);
Improve this question
3
  • session_start(); in the FIRST line of your PHP script... Commented Jan 31, 2012 at 22:29
  • session variable($_SESSION['asc_id'],which holds some value like "AS0027001") --- why do you think it does? Commented Jan 31, 2012 at 22:30
  • Did you call session_start() before using it? Commented Jan 31, 2012 at 22:30

4 Answers 4

Reset to default
3

Variable substitution only works within double quoted strings, not single quoted ones. In other words, you should do;

$rs = mysql_query("select .... and asc_id  = '$asc_id' and ... limit 0,10", $dblink);

Btw, you did make sure the value doesn't include any characters that may lead to SQL injection, right? Otherwise you should use mysql_real_escape_string to make sure before inserting it into a query.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I changed my query like this but its not working. $rs = mysql_query("select asc_pa_lastname, asc_pa_firstname, asc_pa_dob,lname_fname_dob from issio_asc_patient where asc_id = 'mysql_real_escape_string($ascid)' and lname_fname_dob like '". mysql_real_escape_string($_REQUEST['term']) ."%' order by lname_fname_dob asc limit 0,10", $dblink);
@Devswa You need to add the first mysql_real_escape_string like you correctly added the second; try $rs = mysql_query("select asc_pa_lastname, asc_pa_firstname, asc_pa_dob,lname_fname_dob from issio_asc_patient where asc_id = '".mysql_real_escape_string($asc_id)."' and lname_fname_dob like '". mysql_real_escape_string($_REQUEST['term']) ."%' order by lname_fname_dob asc limit 0,10", $dblink);
1

When you print the strings, it will be clear. When the question is reformatted to leave the SQL readable, the problem is clear. (The first rule for debugging SQL statements is "print the string". A second rule, that makes it easier to comply with the first, is always put the SQL statements into a string which you pass to the SQL function.)

You use the . notation to embed the request term in the string; you don't use that to embed the $asc_id into the string. You should also use mysql_real_escape_string() on the session ID value to prevent SQL injection.

Improve this answer

Comments

1

First print the variable $asc_id . If it displays nothing, session is unavailable . In that case you missed session_start() in top of the current executing page .

From the SQL query, you cannot replace the value of a variable inside single quoted string . Use . symbol for mixing string value with variable or use double quoted string . I prefer first one .

For troubleshooting , simplest method is printing variable values. From the result , you will understand what is missing .

Thanks

Improve this answer

Comments

1

Try this. from the comment you added, I modified it like this

session_start(); //add this if you did not do it yet

$asc_id = $_SESSION['asc_id'];

$rs = mysql_query("select asc_lastname, asc_firstname, asc_middlename, lname_fname_dob
                 from issio_asc_workers where asc_user_type = 31
                  and asc_id  = '$asc_id'
                  and lname_fname_dob like '".
                  mysql_real_escape_string($_REQUEST['term']) .
                  "%'  order by lname_fname_dob asc limit 0,10", $dblink);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.