0

What would be the proper way to concatenate this query?

$query2= "SELECT * FROM relationships WHERE user_1= '.$_SESSION['user_id'].'     
AND user_2= '.$user_id.' ";

I keep getting this error:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\xampp\htdocs\beta\profile.php on line 32

Matt
  • 1
  • 1
  • 4
  • Please do yourself a favor and prevent possible sql-injection by using parameterized queries instead of concatenating strings. By concatenating unescaped strings it is only a matter of time before someone steal, modify or delete all your data. It is a disaster waiting to happen. http://stackoverflow.com/a/60496/36866 – some Aug 12 '12 at 01:45

3 Answers3

5

What would be the proper way to concatenate this query?

To let your SQL library/client/server do it for you (while escaping special characters for free). Trying to build code by mashing strings together is relatively error prone and involves fiddly combinations of various quote characters that can become hard to maintain.

Use prepared statements and bound arguments instead.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
2

You have an incorrect nesting of single and double quotes.

$query2= "SELECT * FROM relationships WHERE user_1= '" . $_SESSION['user_id'] . "' AND user_2= '" . $user_id . "'";
user229044
  • 232,980
  • 40
  • 330
  • 338
ILker Özcan
  • 346
  • 4
  • 11
  • This is the correct answer. The question is about string concatenation, it is not soliciting opinion on how to access a database. – user229044 Aug 11 '12 at 21:21
  • 1
    @Alnitak: The fact the OP is asking the wrong question doesn't justify downvoting answers that answer it. – Eric Aug 11 '12 at 21:21
  • @Eric Exactly this. Downvotes are not warranted here. This answer and [this answer](http://stackoverflow.com/a/11917758/229044) both correctly answer the question as it is asked. If you don't agree with the method the OP is using, leave a comment on the question, don't downvote correct answers. – user229044 Aug 11 '12 at 21:23
  • answering the question as written without pointing out the security issue is IMNSVHO irresponsible. – Alnitak Aug 11 '12 at 21:23
  • @meagar and the only reason it is not soliciting that opinion is because the OP doesn't know any better. – Alnitak Aug 11 '12 at 21:24
  • 2
    A comment would do more to educate the OP than a downvote on a correct answer. – user229044 Aug 11 '12 at 21:29
  • If the answerer can demonstrate that he also has enough clue to fix the problem, I'll revert the downvote. I note that someone has downvoted Quentin's answer, even though it's the best advice the OP will ever get. – Alnitak Aug 11 '12 at 21:34
  • @Alnitak: he probably got downvoted for suggesting prepared statements "without pointing out the security issue" they fix – Eric Aug 12 '12 at 20:32
2

Either:

$query2 = "SELECT * FROM relationships WHERE user_1='" . $_SESSION['user_id'] . "'AND user_2='" . $user_id . "'";

Or:

$query2 = "SELECT * FROM relationships WHERE user_1='${_SESSION['user_id']}' AND user_2='$user_id'";

fixes your syntax error. However, forming queries through concatenation is a bad idea. At the very least, you should mysql_realescapestring all the arguments, if not move to using PDO.

Eric
  • 95,302
  • 53
  • 242
  • 374