PHP & MySQL syntax problem.

by newbim

Posted: 12 years ago 6 replies

PROGRAMMING

Hello,

Here's the problem:

$_POST['location'] is being sent from a previous page.

Here's my code:

Code:

$query = ('SELECT * FROM curr_vacs WHERE job_location = "$_POST['location']"');

When I load the page, nothing shows up. If I change it to:

Code:

$query = ('SELECT * FROM curr_vacs WHERE job_location = "ATOWN"');

It seems to work just fine.

To test it, I was using:

Code:

$location="ATOWN";

$query = ('SELECT * FROM curr_vacs WHERE job_location = "$_POST['location']"');

.... nothing.

I'm still VERY NEW to php, but cannot figure it out.

Any advice is greatly appreciated.

Cheers,

Andy.

#php

Earnie Boyd 12 years ago

Change it to

$query = "SELECT * FROM curr_vacs WHERE job_location = '{$_POST[location]}'";

The string data in the query is bounded by single quote ' character and not double quote. When parsing the PHP the string in double quotes is parsed for variable data. The { } within the double quoted string helps define the variable. The element in the array within the double quoted string does not contain the otherwise needed quote. Varying syntax of differing coding systems, got to love it.
- [ 1 ] Thanks
Signature
Earnie Boyd
{{ DiscussionBoard.errors[5858542].message }}

newbim

12 years ago

Sir!! Thank you. Great help!!

I can only hope that one day I'll fully understand the explanation, but for now, I'm just thrilled that a php issue that is simple to others will not taunt my nightmares.

Thank you again.

Thanks
1 reply

Signature

If what I said helps, let me know, throw me a 'thanks'.

{{ DiscussionBoard.errors[5859254].message }}

Nochek

12 years ago

Originally Posted by newbim

When testing (not on live production servers) remember to liberally use echo commands.

$query = "SELECT * FROM curr_vacs WHERE job_location = '{$_POST[location]}'";

then

echo $query;

The page output will be your SQL query and you can run it in a MySQL server to see what actual errors are output.

Thanks

Signature

Nochek Solutions Presents:
The Hydrurga WSO - Rank Your Site #1 And Score Over The Penguin Updates!

{{ DiscussionBoard.errors[5861188].message }}

Wack0 12 years ago

also, that code as-is is vulnerable to sql injection, you might want to sanitize your data inputs.
- Thanks
- 1 reply
{{ DiscussionBoard.errors[5859316].message }}
- Earnie Boyd 12 years ago
  
  Originally Posted by Wack0
  
  also, that code as-is is vulnerable to sql injection, you might want to sanitize your data inputs.
  
  That depends on how $_POST['location'] is set. If it is a textfield then yes the data should be "sanitized" before using it in the SELECT. If it is a radio, checkbox or a select list then the data is already sanitized because the value is from a known set. To sanitize the data you would use mysql_real_escape_string() and addslashes();
  
  Thanks
  
  1 reply
  
  Signature
  Earnie Boyd
  
  {{ DiscussionBoard.errors[5863264].message }}
  
  Nochek 12 years ago
  
  Originally Posted by Earnie Boyd
  
  If it is a radio, checkbox or a select list then the data is already sanitized because the value is from a known set.
  
  You should be careful programming like this. Using checkboxes, radio buttons, select lists, etc, any browser request (even $_POST) can be replicated through telnet, duplicate sites, javascript, or code (even PHP), so always be cautious of any restrictions set on client-side code.
  
  Never ever ever trust the client, and sanitize everything. Even your back-end, password-protected, random file-name, hidden admin panel that only you have access to.
  
  [ 1 ] Thanks
  
  Signature
  
  Nochek Solutions Presents:
  The Hydrurga WSO - Rank Your Site #1 And Score Over The Penguin Updates!
  
  {{ DiscussionBoard.errors[5865095].message }}

PHP & MySQL syntax problem.

Trending Topics

Been a while! Any of you Old Timers here?

How much does the rebranding affect CR ?

Are billboards still effective in driving customers?

Boat and Jet Ski Rentals...... Door Hangers Effective?

A Very Strange Internet Problem