PHP string variable in WHERE clause MySQL

后端 未结 1 1111
我寻月下人不归
我寻月下人不归 2021-02-20 13:04

I am having a problem with this simple sql query:



        
1条回答
  •  攒了一身酷
    2021-02-20 13:13

    you getting no date because you have extra space betwee the quotes,

    $query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
                                                                        ^ HERE      ^
    

    which will then be parsed into

    SELECT * FROM toho_shows WHERE toho_shows.show =' gothaf '
    

    remove it and it will work

    $query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='". $show. "'";
    

    As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

    • How to prevent SQL injection in PHP?

    0 讨论(0)
提交回复
热议问题