[b]code[/b]
$query="select id from myTable1 where title='$_POST[COLOR="Red"]
([/COLOR]'$myVar'[COLOR="red"])[/COLOR]' " ;
echo $query;
[b]result[/b]
select id from myTable1 where title='Array('title1')'
For putting $_POST variable in where clause, I don’t know which is correct between parenthesis in the above and braket in the below?
[b]code[/b]
$query="select id from myTable1 where title='$_post[COLOR="red"][[/COLOR]'$myVar'[COLOR="red"]][/COLOR]' " ;
echo $query;
[b]result[/b]
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING
or T_VARIABLE or T_NUM_STRING
How can I make the result "select id from myTable1 where title=‘title1’ "?
you also need to escape the single quotes as someone suggested to you in another thread earlier today or concatenate strings to build the final query (my preference)
$query="select id from myTable1 where title='".$_post['$myVar']."' " ;
also ‘$myVar’ would need to be the name of the html form element the data is coming from.
I have the code above in DBaction3-3.php, it will be reached from http://dot.kr/x-test/todbAction3-3.php.
The result of it is "select id from myTable1 where title=‘’ instead of "select id from myTable1 where title=‘title1’ "?
Firstly, you don’t seem to have any SQL Injection prevention. Using user-submitted values directly in your queries is a big problem.
It should look something like this:
$title = mysql_real_escape_string($_POST['myVar']);
$query = "SELECT id, FROM myTable1 WHERE title='$title' ";
Which sort of solves your second problem because referring to $title inside a string is a lot simpler than referring to $_POST[‘title’];
But, FYI if you ever do need to use an associative array value in a string you have these options:
/* no single quotes required around 'name'
because the string is wrapped in double quotes
and the variable will be parsed */
$myString = "Hello $_POST[name], how are you?";
/* single quotes required when using curly
brackets to isolate the variable */
$myString = "Hello {$_POST['name']}, how are you?";
/* concatenate */
$myString = 'Hello ' . $_POST['name'] . ', how are you?';
dotJoon you don’t need $_post[‘$myVar’]
$_POST should be capitalized and the array key is myVar NOT $myVar.
The name of the form field is myVar, so that is the key it will have in $_POST.
You can check the structure of your POST array by doing:
jotJoon you still have a dollar sign in front of $myVar near where you have highlighted POST in red. You even quoted my post where I said not to use $myVar
Like Kalon and I said you need to remove that dollar sign. You’re referring to an array key, not a variable.