mysql_query with quotes around variables?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • giloosh
    New Member
    • Sep 2008
    • 2
    #1

    mysql_query with quotes around variables?

    I run the code below with cli (no web server)
    it works fine on my xampp setup but will not work on my php standalone setup on another machine.
    Code:
    $var1 = "-1";
$var2 = 7;
$q="update `table1` set `fld1` = '$var1' where `fld2` = '$var2'";
mysql_query($q);
    I am not getting any errors (yes error reporting is on), it just wont update the row.
    it works if I type the sql straight into mysql query browser.
    Code:
    update `table1` set `fld1` = '-1' where `fld2` = '7';
    the funny thing is, if I remove the single quotes from the variables it will work.
    Code:
    $q="update `table1` set `fld1` = $var1 where `fld2` = $var2";
    fld1 is TINYINT(1) with unsigned unchecked
    fld2 is INTEGER()
    I thought php can convert strings into the appropriate data type if needed.
    any ideas why its working on xampp and not on a php standalone install?
    Thanks for any help!
    Tags: None
    • Dormilich
      Recognized Expert Expert
      • Aug 2008
      • 8694
      #2
      Originally posted by giloosh
      I thought php can convert strings into the appropriate data type if needed.
      it does, but the problem has a different origin (i.e. it is out of the scope of PHP).

      any number types shouldn't be quoted in SQL. but you wrote the quotation marks in the string yourself.... if you use any DAL (database abstraction layer) you can use that to handle quoting for you.

      regards

        Comment

        • Atli
          Recognized Expert Expert
          • Nov 2006
          • 5062
          #3
          Hi.

          Are there any differences between the MySQL servers on those two machines, or the PHP versions?

          Try catching the error:
          [code=php]
          mysql_query($q) or die(mysql_error ());
          [/code]
          See if that tells you anything.

          You might also want to consider upgrading to the Improved MySQL extension.
          The old MySQL extension was written for MySQL 3, and while it does work with the later versions, it's a bit outdated.

            Comment

            • giloosh
              New Member
              • Sep 2008
              • 2
              #4
              thanks for the replies. All very useful information.
              heres the mysql error I would get:
              truncated incorrect double value php mysql
              the problem had nothing to do with wraping the variabl in quotes. The variableI was using was extracted from a text file and sent in through a socket over the internet, and somewhere along the way they picked up "whitepsace s" of some sort. When I would echo the $var2 it would show up fine, and the white spaces were invisible to me, so I had no idea. after doing trim($var2) it solved the problem. very weird :-/

                Comment

                • Atli
                  Recognized Expert Expert
                  • Nov 2006
                  • 5062
                  #5
                  Ahh ok. You should be very careful when using "foreign" data like that. There is always the chance that the data is corrupt, or even that it has been altered purposefully to damage your web.

                  Consider, for example, if somebody had managed to send this as the value for $var2:
                  Code:
                  1' or 1='1
                  PHP has some very useful functions to validate data like this.
                  Like the is_numeric function, which would be ideal for your situation.

                  Also, remember to always pass all data through the mysql_real_esca pe_string function before putting it into a query.

                    Comment

                    Previous template Next
                    Working...