0

I have this quick question, i have got the username variable from a form and i need to insert it in a query, can you please tell me where i'm going wrong, it says: Unknown column '$username' in 'field list'

Here is the code:

echo $HTTP_POST_VARS['username'];

   echo $username;
   $query = sprintf( 'SELECT $username FROM hostess' );
Improve this question
1
  • 3
    Don't do this. STOP. Read up and learn about SQL injection attacks before you go ANY farther with this kind of coding. Commented Jun 19, 2012 at 22:53

4 Answers 4

Reset to default
1
  1. In the code supplied you never set $username.
  2. You're wide open for Sql injection.
  3. You're using sprintf without any reason - it formats a string but you're not supplying any formatting, my example below does
  4. You're trying to 'SELECT $username FROM hostess' but that's not a valid Sql statement at all.

You'd be wanting something more like:

$query = sprintf( "SELECT * FROM hostess WHERE username='%s'", $username);

AFTER making sure you clean $username.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Uhmm about everything seems wrong..

First of all, you never defined the variable $username. What you are doing would only be valid in a version of PHP that still supports suberglobals.

Second, why are you using sprintf for a query?

By the way, HTTP_POST_VARS is deprecated. Use POST

Correct code would be something like this;

    $username = $_POST['username'];
echo $username;

$query = mysql_query("SELECT ".$username." FROM hostess");
Improve this answer

2 Comments

Good to hear! Could you mark my answer as the correct one? Thanks
Sure, i just need to wait 4 more minutes to do that :)
0

in PHP, using the single quote for strings will not parse the string for variables. Use either concatenation or double quotes:

$query = sprintf( 'SELECT ' . $username . ' FROM hostess' );
$query = sprintf( "SELECT $username FROM hostess");

Of course, this is to say nothing about the terrible risks using a POST var this way implies.

Improve this answer

Comments

0 
$query = sprintf( 'SELECT %s FROM hostess', $username);

-or, if that's a string value, I suspect you may want to include that in single quotes in the query text -

$query = sprintf( "SELECT '%s' FROM hostess", $username);

NOTE: The generated SQL statement looks a bit odd, in that its going to return the same literal value for every row in the hostess table. If there's a hundred rows in the hostess table, you are going to return 100 rows with the same literal value. This may be what you want, but it strikes me as VERY odd.

NOTE: The sprintf function looks for %s, %d, etc. placeholders in the first argument, and replaces them with values from the remaining arguments.)

NOTE: If $username contains a value coming in from a form, and has not been validated, to thwart SQL injection attacks, I would use the (admittedly old school) mysql_real_escape_string function. (Others will offer suggestions for better, more modern techniques to accomplish the same result.)

$query = sprintf("SELECT '%s' FROM hostess",mysql_real_escape_string($username));
Improve this answer

2 Comments

Hey thanks, is it normal that the output is: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM hostess' at line 1 I'm on localhost..
@Gazeta Almedicus: If the query text is malformed, yes, it is expected. If $username contains an integer value, it should not be a problem. "SELECT 1 FROM hostess". If $username is a string, then it may be a problem if $username is not a valid SQL expression...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.