tags:

views:

78

answers:

4
Q: 

Can I use a variable in SQL? If not, how to avoid this?

Can I pull out data by using variable in SQL?

For example,

In controller

$frontbottom = $this->MProducts -> getFeatureProducts('Front bottom');

In model

//This does not work.
  function getFeatureProducts($catname){
     $data = array();
     $Q = $this->db->query('SELECT P.*, C.Name AS CatName 
                   FROM omc_products AS P
                   LEFT JOIN omc_categories AS C
                   ON C.id = P.category_id
                   WHERE C.Name = $catname
                   AND p.status = "active"
                   ORDER BY RAND()
                   ');
     if ($Q->num_rows() > 0){
       foreach ($Q->result_array() as $row){
         $data[] = $row;
       }
    }
    $Q->free_result();    
    return $data;  

 }

This does not work. Is it because I am using variable?

The following works. In controller 

$frontbottom = $this->MProducts -> getFrontbottom();

In model 

function getFrontbottom(){
     $data = array();

     $Q = $this->db->query('SELECT P.*, C.Name AS CatName 
                   FROM omc_products AS P
                   LEFT JOIN omc_categories AS C
                   ON C.id = P.category_id
                   WHERE C.Name = "Front bottom"
                   AND p.status = "active"
                   ORDER BY RAND()
                   ');
     if ($Q->num_rows() > 0){
       foreach ($Q->result_array() as $row){
         $data[] = $row;
       }
    }
    $Q->free_result();    
    return $data;  

 }

Can I use variable in SQL?

If not, what is the best way? Do I have make same SQL again and again just changing WHERE clause?

+3  A: 

For one thing, your quotes are mixed up. If you want to include a variable in a string, you need to use double quotes rather than single quotes. Also, the quotes around "active" should be single quotes. Try this and I think it should work:

$this->db->query("SELECT P.*, C.Name AS CatName 
                   FROM omc_products AS P
                   LEFT JOIN omc_categories AS C
                   ON C.id = P.category_id
                   WHERE C.Name = '$catname'
                   AND p.status = 'active'
                   ORDER BY RAND()
                   ");
Eric Petroelje  2009-12-29 20:48:10
Thanks. It gives the following error now. --You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'bottom AND p.status = 'active' ORDER BY RA' at line 5SELECT P.*, C.Name AS CatName FROM omc_products AS P LEFT JOIN omc_categories AS C ON C.id = P.category_id WHERE C.Name = Front bottom AND p.status = 'active' ORDER BY RAND()
shin  2009-12-29 20:52:19
Assuming this is PHP, you should also get in the habit of putting curly braces around your variable names in double-quoted strings: instead of '$catname', {$catname} because the interpreter is greedy when taking tokens to form variable names in strings.
KingRadical  2009-12-29 20:53:33
@shin - I edited my answer again, there should be single quotes around the $catname variable as well.
Eric Petroelje  2009-12-29 20:53:46
Thanks, it works.
shin  2009-12-29 20:59:56
A: 

Try this:

  //This does not work. 
  function getFeatureProducts($catname){ 
     $data = array(); 
     $Q = $this->db->query('SELECT P.*, C.Name AS CatName  
                   FROM omc_products AS P 
                   LEFT JOIN omc_categories AS C 
                   ON C.id = P.category_id 
                   WHERE C.Name = "' . $catname . '"
                   AND p.status = "active" 
                   ORDER BY RAND() 
                   '); 
     if ($Q->num_rows() > 0){ 
       foreach ($Q->result_array() as $row){ 
         $data[] = $row; 
       } 
    } 
    $Q->free_result();     
    return $data;   
 }

The bottom line, is that you need to put the value from the variable into the SQL String. You cannot simply put the name of the variable.

Nate Bross  2009-12-29 20:48:31
PHP uses . as concatenation operator, not + :)
Tatu Ulmanen  2009-12-29 20:50:30
Thanks, habit...
Nate Bross  2009-12-29 22:50:21
+1  A: 

You can use variables in SQL, after all, that's just a normal string you're passing to the query function.You are using single quotes, that is why your variable does not work. All variables inside single quotes are ignored by PHP and will not be parsed. Put the query in double quotes. You should also always properly escape variables in queries to protect yourself from SQL injection attacks. Thus, this would work and be safe:

$Q = $this->db->query("SELECT P.*, C.Name AS CatName 
               FROM omc_products AS P
               LEFT JOIN omc_categories AS C
               ON C.id = P.category_id
               WHERE C.Name = '".mysql_real_escape_string($catname)."',
               AND p.status = 'active'
               ORDER BY RAND()");

If it's still failing, try using echo mysql_error() after the query, and also echo the query to the browser so you'll see whether it's properly formatted.

Note that the database library might have it's own alternatives to mysql_real_escape_string and mysql_error, but this was just an example anyways.

Tatu Ulmanen  2009-12-29 20:48:47
+1 for mentioning escaping the variable.
Eric Petroelje  2009-12-29 20:52:25
A: 

you need to expand the variable before yo make the sql query.

sql_query1 = 'SELECT P.*, C.Name AS CatName FROM omc_products AS P LEFT JOIN omc_categories AS C ON C.id = P.category_id WHERE C.Name = "'

sql_query2 = '" AND p.status = "active" ORDER BY RAND() '

finally ,

sqlquery = sqlquery1+ $catname + sqlquery2

  • on your actual program don't use sqlquery1,2 etc .. this is a very cumbersome way to do this.. it is only to make it clear to understand
AlexFerrer  2009-12-29 20:54:27

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL