PHP string variable in WHERE clause MySQL

Question

I am having a problem with this simple sql query:

<?php 
require_once('../../Connections/tohoshows.php'); 

$show ='gothaf';

mysql_select_db($database_tohoshows, $tohoshows);
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
$getShows = mysql_query($query_getShows, $tohoshows) or die(mysql_error());
$row_getShows = mysql_fetch_assoc($getShows);
$totalRows_getShows = mysql_num_rows($getShows);

mysql_free_result($getShows);
?>

When I use the string directly in the WHERE clause like this

 $query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='gothaf'";

I get a result. When I use the variable instead, I get no data! I am a novice and I can't figure out what am I doing wrong. Any help would be appreciated. Thank you!

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. — Kermit
– Kermit, Commented Mar 28, 2013 at 14:39

Community · Accepted Answer · 2017-05-23 10:30:59Z

20

you getting no date because you have extra space betwee the quotes,

$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
                                                                    ^ HERE      ^

which will then be parsed into

SELECT * FROM toho_shows WHERE toho_shows.show =' gothaf '

remove it and it will work

$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='". $show. "'";

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

How to prevent SQL injection in PHP?

edited May 23, 2017 at 10:30

CommunityBot

11 silver badge

answered Mar 28, 2013 at 14:30

John Woo

265k70 gold badges509 silver badges500 bronze badges

Sign up to request clarification or add additional context in comments.

6 Comments

gothaf Over a year ago

Thank you for your answer! I have also tried with no spaces in between, but I still get no data.

John Woo Over a year ago

post the result of this echo $query_getShows;

Jonast92 Over a year ago

You shouldn't even consider using this approach anyway, @Akis, it's really easy to use prepared statements and yet it is system critical.

gothaf Over a year ago

This what I get from the echo $query_getShows; SELECT * FROM toho_shows WHERE toho_shows.show ='gothaf' though I still get no data when I test the SQL statement in Dreamweaver.

gothaf Over a year ago

OK guys! This thing actually works, I don't know why dreamweaver doesn't return any data on the sql statement test! Thanks everybody! @Jonast92 I will consider the prepared statements as you said! Thanks!

|

Collectives™ on Stack Overflow

PHP string variable in WHERE clause MySQL

1 Answer 1

6 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

6 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related