Jump to content
Please Use CODE Tags

How can I pass a variable into SQL where clause using PHP?

Flanelman
By Flanelman
in Programming
 Share
Go to solution Solved by vorticalbox,

Db.php

  

<?php
class db {
  private static $handle;
  public static function connect($host, $username, $password, $db){
  self::$handle = new PDO("mysql:host={$host};dbname={$db}", $username, $password);
  self::$handle->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
  }
  public static function query($sql, $args=null){
  $sth = self::$handle->prepare($sql);
  $sth->execute($args);
  return $sth;
  }

//end of class
}

  //enter your database information here. host, username, password, DB name
  db::connect("host", "username", "password", "database");
 
?>

then your php

  

require('db.php');
$sql = db::query("select ID from student_tbl where firstName=:n limit 1",
array(":n" => $name));
$row = $row->fetch(PDO::FETCH_ASSOC);
//row now contains an dict of your data
echo $row['ID'];

If you need more just but more field=:c to the query and then add , 'c' => $variable to the array

Posted

Hey guys,
 

So I'm trying to pass a variable into a Where clause in SQL (within PHP) but I can't seem to figure out how to do it, I've had a look on stack overflow but everything I found just looked completely different. I'm sure it's pretty straight forward but I just can't figure it out so I would appreciate any help you guys have to offer!

Here's what I've tried: 

$name = $_POST['studentName'];

$getID_query = 'SELECT studentID from student_tbl WHERE firstName=($name)';
$getID_query = 'SELECT studentID from student_tbl WHERE firstName=$name';
$getID_query = 'SELECT studentID from student_tbl WHERE firstName=' $name;
$getID_query = 'SELECT studentID from student_tbl WHERE (firstName=$name)';

error: Column not found: 1054 Unknown column '$name' in 'where clause'

 

$name definitely has data as I printed it to the console to check. Also is the value that this query returns stored in "$getID_query"? so if I echo'd $getID_query after the select statement would it print out the selected studentID? 


Thanks in advance :)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 minutes ago, PlasticPotato said:

escape the string

 

 

9 minutes ago, Flanelman said:

Hey guys,
 

So I'm trying to pass a variable into a Where clause in SQL (within PHP) but I can't seem to figure out how to do it, I've had a look on stack overflow but everything I found just looked completely different. I'm sure it's pretty straight forward but I just can't figure it out so I would appreciate any help you guys have to offer!

Here's what I've tried: 


$name = $_POST['studentName'];

$getID_query = 'SELECT studentID from student_tbl WHERE firstName=($name)';
$getID_query = 'SELECT studentID from student_tbl WHERE firstName=$name';
$getID_query = 'SELECT studentID from student_tbl WHERE firstName=' $name;
$getID_query = 'SELECT studentID from student_tbl WHERE (firstName=$name)';

error: Column not found: 1054 Unknown column '$name' in 'where clause'

 

$name definitely has data as I printed it to the console to check. Also is the value that this query returns stored in "$getID_query"? so if I echo'd $getID_query after the select statement would it print out the selected studentID? 


Thanks in advance :)

Even though it is a solution, you should parameterize your query to not worry about code injection. I didn't think it was a big deal until I played with some shitty high school website and found out that I was able to inject JavaScript into a group name or something like that and completely fucked the website. At least the admin probably learned. 

Try, fail, learn, repeat...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
54 minutes ago, zwirek2201 said:

 

Even though it is a solution, you should parameterize your query to not worry about code injection. I didn't think it was a big deal until I played with some shitty high school website and found out that I was able to inject JavaScript into a group name or something like that and completely fucked the website. At least the admin probably learned. 

Hi, my name is '; DROP ALL TABLES

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Solution

Db.php

  

<?php
class db {
  private static $handle;
  public static function connect($host, $username, $password, $db){
  self::$handle = new PDO("mysql:host={$host};dbname={$db}", $username, $password);
  self::$handle->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
  }
  public static function query($sql, $args=null){
  $sth = self::$handle->prepare($sql);
  $sth->execute($args);
  return $sth;
  }

//end of class
}

  //enter your database information here. host, username, password, DB name
  db::connect("host", "username", "password", "database");
 
?>

then your php

  

require('db.php');
$sql = db::query("select ID from student_tbl where firstName=:n limit 1",
array(":n" => $name));
$row = $row->fetch(PDO::FETCH_ASSOC);
//row now contains an dict of your data
echo $row['ID'];

If you need more just but more field=:c to the query and then add , 'c' => $variable to the array

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to comment
Share on other sites
Link to post
Share on other sites
  • 2 weeks later...
Posted

use double quote on each end of the SQL statement when typing in the variable name like this.  no ( ) necessary. 

$name = $_POST['studentName'];

$link = db_connect('','','');

$getID_query = "SELECT studentID from student_tbl WHERE firstName=$name";

$result = mysql_query('$getID_query');

"Cheapness is not a skill"

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×