Hi!
I want to write a mysql query something like this:
select * from books where title like '$title_';
The $title is a php variable. when i run the above query, it throws an error saying
'$title_ variable not found'
How can I achieve this?
Thanks..
views:
58answers:
8
+3
A:
Do it like this:
$query = "select * from books where title like '{$title}_';"
$result = mysql_query($query) or die(mysql_error());
By surrounding variable in {} you can specify that only $title is a variable and not the _. And the double-quote string will ensure that this variable gets expanded to its value.
shamittomar
2010-08-30 19:43:10
thanks shamittomar
jest
2010-08-30 19:45:43
You're welcome.
shamittomar
2010-08-30 19:46:38
A:
The mysql query is merely a string. You just have to put the value of your $title php variable inside this string. The problem is that this string is followed by a character underscore that is valid in a variable name, hence you have to delimit the variable name or underscore will be included in the name.
There is several way to do it, for exemple:
$query = "select * from books where title like '${title}_'";
$query = "select * from books where title like '".$title."_'";
As OMG Ponies said, if $title came from some user input and not from some controlled part of your program (for exemple another table in database), the variable should also be protected or there is some risks of SQL injection attack (executing more than one query, and more specifically a query prepared by some hacker to be some valid SQL).
Beside attacks, there is also some other potential problems if you do not escape. Imagine what will happen for exemple if the title actually contains a quote...
I would usually do:
$query = "select * from books where title like '".addslashes($title)."_'";
but there is other variants depending the escaping context and what you want to protect from.
kriss
2010-08-30 19:43:55
-1: `addslashes` is usually [not a good idea at all](http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string)... Poor escaping is worse than no escaping (since you think you're safe when you're not)...
ircmaxell
2010-08-30 20:54:13
@ircmaxell: that is not a problem if I'm not dealing with user input but with controled data, as I suggested. In this context addslashes is good enough (like for protecting from raw quotes in input as I suggested). For user inputs there is usually much more treatments to apply before considering using them in some SQL request. I always thought quite crazy (even if it's actually common) the idea of merely protecting input and mixing carelessly utf-8 and various codepages in database.
kriss
2010-08-30 23:06:38
A:
Do you have a variable $title_ or is it just $title?
If its just $title then:
$query = "select * from books where title like '".$title."_'";
Chris
2010-08-30 19:43:58
The underscore is a part of the `LIKE`, it should match any single character. so: `$query = "select * from books where title like '".$title."'_";`
FrustratedWithFormsDesigner
2010-08-30 19:45:31
A:
Your query string must looks like:
$query = "select * from books where title like '".$title."_'";
Please note, the '".$title."_'
The error you are getting is because your query is taking $title and not the value of your php variable $title
Garis Suero
2010-08-30 19:44:13
A:
Try:
"select * from books where title like '{$title}_';"
The curly braces first evaluate the variable and later add your wildcard _ to the variable value thereby providing sql query with your search criteria.
Sarfraz
2010-08-30 19:44:28
+6
A:
Use:
"... WHERE title LIKE '". mysql_escape_real_string($title) ."_'";
You could use:
WHERE title LIKE '{$title}_'";
..but there's a risk of SQL Injection attacks
OMG Ponies
2010-08-30 19:46:34
+1 for being the only answer so far to broach the issue of escaping...
ircmaxell
2010-08-30 19:53:06