0

I am trying to concatenate a MySQL SELECT query with PHP variable but got an error. My PHP statement which gives an error is:

 $result=mysql_query("SELECT user_id,username,add FROM users WHERE username =".$user."AND password=".$add);

and error as:

( ! ) Notice: Undefined variable: info in C:\wamp\www\pollBook\poll\login.php on line 18
Call Stack

I don't understand where I missed the code. When I write query without WHERE clause it works fine.

Improve this question
10
  • No your error is about a missing variable $info on line 18, not your query. Also DON'T use mysql_* AND DO escape your query, you don't even have quotes around the input. Commented Mar 8, 2013 at 11:44
  • It seems this error is not related with this line. Commented Mar 8, 2013 at 11:44
  • mysql_query is a deprecated function. You should look at MySQLi or PDO_MySQL. See php.net/manual/en/function.mysql-query.php Commented Mar 8, 2013 at 11:45
  • When you say error, its only a notice. I don't think it can stop the query from executing. Commented Mar 8, 2013 at 11:53
  • @jtheman my sql query statement which i paste above is on line no.18. Actually i am new with all this stuff and i don't understand your statement"quotes around the input" will u be please tell me what input exactly? Commented Mar 8, 2013 at 11:57

5 Answers 5

Reset to default
6

The reason why your code isn't working

You are attempting to use a variable, $info, that has not been defined. When you attempt to use an undefined variable, you're effectively concatenating nothing into a string, however because PHP is loosely typed, it declares the variable the second you reference it. That is why you're seeing a notice and not a fatal error. You should go through your code, and ensure that $info gets a value assigned to it, and that it is not overwritten at some point by another function. However, more importantly, read below.

Stop what you are doing

This is vulnerable to a type of attack called an SQL Injection. I'm not going to tell you how to concatenate SQL strings. It's terrible practice.

You should NOT be using mysql functions in PHP. They are deprecated. Instead use the PHP PDO Object, with prepared statements. Here's a rather good tutorial.

Example

After you've read this tutorial, you'll be able to make a PDO Object, so I'll leave that bit for you.

The next stage is to add your query, using the prepare method:

$PDO->prepare("SELECT * FROM tbl WHERE `id` = :id");
// Loads up the SQL statement. Notice the :id bit.
$actualID = "this is an ID";
$PDO->bindParam(':id', $actualID);
// Bind the value to the parameter in the SQL String.
$PDO->execute();
// This will run the SQL Query for you.
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Can't agree more. However this is not at all an answer to the question.
Why give OP an answer that encourages bad practise. OP ultimately wants to query the DB. May as well get them to do it the right way.
Well the problem that the OP posted is apparently not connected with the query line. I agree you could strongly encourage him to change his code but this is still not the answer to his question. So add this as a comment.
I think I'll just amend my answer to answer OP's question, then have this as a side note. Makes more sense.
1

You are missing space before "AND " and you should use single quotes as suggested in other answers.

$result=mysql_query("SELECT user_id,username,add FROM users WHERE *username =".$user."AND* password=".$add);

Updated:

echo $sql = "SELECT user_id,username,add FROM users WHERE username ='".$user."' AND password='".$add."'";
$result=mysql_query($sql);
Improve this answer

1 Comment

check the updated answer.. I just echoed the sql part.. see what you get on the screen (if needed add die after echo)
0

although there is no $info variable used in the query but you need to correct the query:

$result=mysql_query("SELECT user_id,username,add FROM users WHERE username ='" . $user . "' AND password='" . $add . "'");
Improve this answer

6 Comments

Actually we have no idea how the contents of $user and $add look like! This is not either an answer for the OP's question!
It's actually not a bad answer despite the poor php/mysql practise. OP basically didn't surround the $user and $add variables with quotes so they were't being passed as a string in the query resulting in the error.
@harryg Well it is a bad answer if you are looking to solve the error: Undefined variable: info
@jtheman: the basic has to be correct first. I know that the solution is found in my advice but the syntax has to be corrected and I only did that, I even mentioned that in my explanation.
@jtheman: I dont want an upvote for this, its just the syntax was not right and thats the basic, it should be advised. I am sorry if that shouldn’t have been done..
|
0

First from the error its looks like one of your variables is not defined. .. check it. Second surround your parameters with ' for safer syntax.

Improve this answer

1 Comment

You can't tell from the code posted IF the OP has escaped his query or not, whatever you might think.
-2

This is because the variables you are using might not have defined above

So first initialize your variables or if its coming from somewhere else(POST or GET) then check with isset method

So complete code would be

$user = 123; // or $user = isset($user)?$user:123;
$add = 123456; // or $add = isset($add)?$add:123456;

And then run your query

$result=mysql_query("SELECT user_id,username,add FROM users WHERE username =".$user."AND password=".$add);
Improve this answer

1 Comment

The error is Undefined variable: info and has nothing to do with that line.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.