0

I'm sure this is very simple - I'm just trying to query mysql and return the row that matches the last name entered into a HTML form - this works when the input (and query) is an integer, but not when I try to use the last name (Lname) Any idea's (i'm very very new to PHP and coding....) 

<form name "namelookup" form action='main2test.php' method="post">
  Last name: <input type="text" name="Lname" /><br />
  <input type="submit" value="Submit" />
</form>



<?php



$Lname=$_POST['Lname'];

// sending query
$result = mysql_query("SELECT * FROM {$table} WHERE `Lname`=$Lname");
if (!$result) {
    die("Query to show fields from table failed");
}
elong
  • 71
  • 1
  • 1
  • 7
  • Welcome to Stack Overflow! Please, don't use `mysql_*` functions for new code. They are no longer maintained and the community has begun the [deprecation process](http://goo.gl/KJveJ). See the [**red box**](http://goo.gl/GPmFd)? Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide, [this article](http://goo.gl/3gqF9) will help to choose. If you care to learn, [here is good PDO tutorial](http://goo.gl/vFWnC). – Manse Jul 17 '12 at 15:02
  • I also suggest you stop what you are doing and learn about [SQL injection attacks](http://php.net/manual/en/security.database.sql-injection.php) – lc. Jul 17 '12 at 15:03
  • Take a look at [Reference: What is a perfect code sample using the MySQL extension?](http://stackoverflow.com/questions/6198104/reference-what-is-a-perfect-code-sample-using-the-mysql-extension) – Markus Hedlund Jul 17 '12 at 15:05

1 Answers1

6
$result = mysql_query("SELECT * FROM {$table} WHERE `Lname`='".mysql_real_escape_string($Lname)."'");
Waygood
  • 2,657
  • 2
  • 15
  • 16
  • 1
    You may notice `mysql_real_escape_string()` in use here, learn it, use it, love it! http://php.net/mysql_real_escape_string – Dale Jul 17 '12 at 15:04
  • 2
    mysqli_real_escape_string (see the red box in @Dale's link) would have been a better link – allen213 Jul 17 '12 at 15:11
  • Except that in this case he hasn't used mysqli so it's useless :P, I understand what your saying though you negative pony! – Dale Jul 17 '12 at 15:13
  • The quotes, or back ticks, around the column name (Lname) are unnecessary in this instance. – Khasm08 Jul 17 '12 at 15:34