SQL statement with variables

Re: SQL statement with variables


On 20-Dec-2003, NK <NK> wrote:
[color=blue]
> how do i create an SQL with variables that are sourced from a form?
>
> My code obviously aint happy with it :)
>
> $query = "SELECT * FROM itrader_games WHERE console = ".$console. " AND
> genre = ".$genre." AND title = ".$title."" ;
>
> the variables are sourced using $_GET and it seems to work ok when
> hardcoded....[/color]

What error are you getting?

Here is an example of what you should have in your code:

$console = addslashes($_GE T['console']);
$genre = addslashes($_GE T['genre']);
$title = addslashes($_GE T['title']);
$query = "SELECT * FROM itrader_games WHERE console='$conso le' AND
genre='$genre' AND title='$title' ";
$result_set = mysql_query($qu ery) or die("$query FAILED because
".mysql_error() );
....


--
Tom Thackrey

tom (at) creative (dash) light (dot) com
do NOT send email to jamesbutler@wil lglen.net (it's reserved for spammers)

Re: SQL statement with variables

Tom Thackrey wrote:[color=blue]
> On 20-Dec-2003, NK <NK> wrote:
>
>[color=green]
>>how do i create an SQL with variables that are sourced from a form?
>>
>>My code obviously aint happy with it :)
>>
>>$query = "SELECT * FROM itrader_games WHERE console = ".$console. " AND
>>genre = ".$genre." AND title = ".$title."" ;
>>
>>the variables are sourced using $_GET and it seems to work ok when
>>hardcoded.. ..[/color]
>
>
> What error are you getting?
>
> Here is an example of what you should have in your code:
>
> $console = addslashes($_GE T['console']);
> $genre = addslashes($_GE T['genre']);
> $title = addslashes($_GE T['title']);
> $query = "SELECT * FROM itrader_games WHERE console='$conso le' AND
> genre='$genre' AND title='$title' ";
> $result_set = mysql_query($qu ery) or die("$query FAILED because
> ".mysql_error() );
> ...
>
>[/color]

Thankyou! addslashes was my cure!!! :)

Re: Re: SQL statement with variables

> Thankyou! addslashes was my cure!!! :)

no, it was your damnation

addslashes is the wrong function here. Use mysql_escape_st ring()

--
mfg Christian

--
Composed with Newz Crawler 1.6 http://www.newzcrawler.com/

Re: Re: SQL statement with variables


On 20-Dec-2003, "Christian Fersch" <Chronial@cyber punkuniverse.de > wrote:
[color=blue][color=green]
> > Thankyou! addslashes was my cure!!! :)[/color]
>
> no, it was your damnation
>
> addslashes is the wrong function here. Use mysql_escape_st ring()[/color]

addslashes() works fine. mysql_eacape_st ring() escapes more characters but
it's not required, its only advantage is that it escapes some control
characters that make reading the log file easier..

--
Tom Thackrey

tom (at) creative (dash) light (dot) com
do NOT send email to jamesbutler@wil lglen.net (it's reserved for spammers)