I want to write a mysql query something like this:
select * from books where title like '$title_';
The $title is a php variable. when i run the above query, it throws an error saying
'$title_ variable not found'
How can I achieve this?
Thanks..
Add a comment
|
8 Answers
Use:
"... WHERE title LIKE '". mysql_escape_real_string($title) ."_'";
You could use:
WHERE title LIKE '{$title}_'";
..but there's a risk of SQL Injection attacks
Comments
Do it like this:
$query = "select * from books where title like '{$title}_';"
$result = mysql_query($query) or die(mysql_error());
By surrounding variable in {} you can specify that only $title is a variable and not the _. And the double-quote string will ensure that this variable gets expanded to its value.
1 Comment
twicejr
I'd like to add: never use variables like this in queries. No more. Use Pdo::quote method at least if you have to do it like this, but please look into pdo::prepare !
Your query string must looks like:
$query = "select * from books where title like '".$title."_'";
Please note, the '".$title."_'
The error you are getting is because your query is taking $title and not the value of your php variable $title
Comments
Try:
"select * from books where title like '{$title}_';"
The curly braces first evaluate the variable and later add your wildcard _ to the variable value thereby providing sql query with your search criteria.
Comments
$query = "select * from books where title like '" . $title_ ."'";
Comments
$query = "SELECT * FROM books WHERE title LIKE '".$title."_';";
Comments
Do you have a variable $title_ or is it just $title?
If its just $title then:
$query = "select * from books where title like '".$title."_'";
1 Comment
FrustratedWithFormsDesigner
The underscore is a part of the
LIKE, it should match any single character. so: $query = "select * from books where title like '".$title."'_";The mysql query is merely a string. You just have to put the value of your $title php variable inside this string. The problem is that this string is followed by a character underscore that is valid in a variable name, hence you have to delimit the variable name or underscore will be included in the name.
There is several way to do it, for exemple:
$query = "select * from books where title like '${title}_'";
$query = "select * from books where title like '".$title."_'";
As OMG Ponies said, if $title came from some user input and not from some controlled part of your program (for exemple another table in database), the variable should also be protected or there is some risks of SQL injection attack (executing more than one query, and more specifically a query prepared by some hacker to be some valid SQL).
Beside attacks, there is also some other potential problems if you do not escape. Imagine what will happen for exemple if the title actually contains a quote...
I would usually do:
$query = "select * from books where title like '".addslashes($title)."_'";
but there is other variants depending the escaping context and what you want to protect from.
2 Comments
ircmaxell
-1:
addslashes is usually not a good idea at all... Poor escaping is worse than no escaping (since you think you're safe when you're not)...
kriss
@ircmaxell: that is not a problem if I'm not dealing with user input but with controled data, as I suggested. In this context addslashes is good enough (like for protecting from raw quotes in input as I suggested). For user inputs there is usually much more treatments to apply before considering using them in some SQL request. I always thought quite crazy (even if it's actually common) the idea of merely protecting input and mixing carelessly utf-8 and various codepages in database.