tags:

views:

56

answers:

2
Q: 

Unknown column 'xyz' in 'where clause'

i created a user defined sql query that doesn't work. users are supposed to be able to enter search strings in an input field, submit then see the results of their search but everytime i enter a search for something that i know is in the database i get the unknown column "x" in "where clause" error message.

would you please help me fix the problem? here's the code that i wrote for it...

...
mysql_select_db("mydb", $c);
$search = $_POST['search'];

$rslt = mysql_query("SELECT * FROM mytable
WHERE 'mycolumn' RLIKE $search");

while($row = mysql_fetch_array($rslt))
  {
  echo $row['myrow'];
  echo "<br />";
  }

if (!$row)
  {
  die('uh oh: ' . mysql_error());
  }

?>
+4  A: 

Change the code to this:
1) Convert quotes to backticks around column name.
2) Surround $search with single qoutes to make it a string.

 $rslt = mysql_query("SELECT * FROM mytable WHERE `mycolumn` RLIKE '{$search}'");
shamittomar  2010-08-22 17:01:05
[Backticks are unnecessary unless the column name is also a reserved word in MySQL](http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html)
OMG Ponies  2010-08-22 17:08:26
thank you all very much!!! :)
David Lee  2010-08-22 17:13:25
@OMG Ponies, yes but we do not know whether in his code mycolumn is a reserved name or not. So, it's always safe to follow this practice.
shamittomar  2010-08-22 17:23:55
A: 

I would like to add a few about security and performance.

It is unsafe to put user input (any GET, POST or cookie data) directly into the SQL query. This is a serious security issue called SQL injection. To avoid it, use mysql_real_escape_string() function.

Also, SELECT * FROM mytable ... is not a good practice. It is recommended to explicitly list all the columns needed even if they all are:

SELECT col1, col2, col3, col4, col5 FROM mytable ...
vadimbelyaev  2010-08-22 18:12:27

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL