tags:

views:

67

answers:

4
+1  Q: 

PHP: Passing variables for mysql query without enclosing them in " or '

Hi,

There's an open source application that does queries like so:

$db->query('SELECT item FROM table WHERE something='.$something);

This works fine, mysql runs the query however if I use exactly the same method I get an error, mysql is seeing it as "something = (value of $something)" and it's (rightly) complaining that (value of $something) is not a row. These applications both run on the same server and I've rooted through their code for hours but I cannot work out what is causing it.

$db->query('SELECT item FROM table WHERE something='.$something);

works in their application but fails in mine. Do I need to do something with the string I'm passing? I have no problem enclosing the variables properly, like:

$db->query('SELECT item FROM table WHERE something="'.$something.'"');

but I'd like to know what causes the difference.

+3  A: 

MySQL needs the string to be enclosed. The only thing I can think is that $something is an integer or a float.

adam  2010-02-19 21:49:30
Aha! I think you might be right. How did I miss that, I can't believe it. Silly me... Thankyou.
citricsquid  2010-02-19 21:50:21
A: 

You can pass numbers without quotes

SELECT ... WHERE id=5

but you have to mark string literals as such with quotes

SELECT ... WHERE id='abc'

see http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html

VolkerK  2010-02-19 21:50:52
A: 

  1. The code is bad bad bad if $something comes from the user/browser. That's call sql_injection error

  2. Send us the exact code statement and sql log so we can see what is happening

Larry K  2010-02-19 21:51:14
of course the data has been sanitized before hand! It was just a silly mistake on my part, I'd overlooked the fact that numbers and strings are treated differently by mysql, mysql will take and handle numbers fine w/out being enclosed, but if I don't enclose a string it can't handle it. Thanks!
citricsquid  2010-02-19 21:54:28
right, that's a really really bad practice. avoid this way of building sql queries and start using prepared statements: http://devzone.zend.com/article/686#Heading10, http://www.petefreitag.com/item/356.cfm
knoopx  2010-02-19 21:55:16
A: 

Try this 

$db->query('SELECT item FROM table WHERE something={$something}');

This will work

streetparade  2010-02-19 21:51:36
In my opinion a comment would be nice if someone votes down, because there is a big learning process if someone says your faults. So that i can learn from my Faults ;-)
streetparade  2010-02-19 21:55:40
I imagine you were voted down because braces {} are used to wrap complex variables such as class vars or array items in strings - they won't enclose the outputted variable though.
adam  2010-02-19 22:26:46
Hy adam thank you for the Information.
streetparade  2010-02-19 23:46:20

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL