I am trying to fetch data from a database but it seems not to work.
This is the code:
// Check if date already exists in the database
$searchQuery = "SELECT * from services WHERE 'date' = '".$newDate."'";
// echo $searchQuery;
$search = mysql_query($searchQuery);
$row = mysql_fetch_array($search);
echo $row['date'];
When I echo the $searchQuery to check the syntax it is correct. I have copied and pasted it into phpMyadmin and run the query there and the result is found. However, for some reason it will not display on the web page. I don’t know if this matters but when I run the query in phpMyAdmin - It says “Showing rows 0 - 0 ( 1 total, Query took 0.0007 sec)” - Does this matter?
I need to know where in that code I use mysql_real_escape_string to make sure special characters entered into the form are escaped. When somebody enters something like “Let’s see if this works” the query fails because it isn’t escaped. I know I need to mysql_real_escape_string the values but I don’t know where to put it.
mysql_real_escape_string may be used around any string (or variable) once the database connection has been established; however, the mysql_ library in PHP is being deprecated, and it is strongly advised you switch to mysqli_ or PDO, and in doing so, also change your query formation to use prepared statements; this will eliminate the need for escaping strings, as well as make your code more secure.