php mysql search by variable?

Question

Please help me with how can I retrieve data from mysql having a variable in my sql query.. my php code is

$status=$_GET['status'];
$query="SELECT * FROM students WHERE status='$status' ";

When I run the query mysql generates

 unknown column 'Lead'

where Lead is the value of $status. I tried it with \'$status\' , '{$status}' but same error.. Please help me I'm working on it since yesterday but found no solution. I tried mysql_real_escape_string() but same error.. may be I was using it with wrong syntax.

  $query="SELECT * FROM students WHERE status=".mysql_real_escape_string($status);

Thanks in advance....

`$query="SELECT * FROM students WHERE \`status\`='" . mysql_real_escape_string($status) . "'";` — NullUserException, Oct 08 '12 at 21:04
Keep in mind: http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php (I recommend placeholders in general to avoid having to worry about quotes - I'm lazy.) — , Oct 08 '12 at 21:05
Are you sure you don't have "where $status='$status'"? Those pesky symbols like to jump around sometimes. — aynber, Oct 08 '12 at 21:07
@NullUserException that was an answer, you should've typed it as such! — xception, Oct 08 '12 at 21:08
@davesnitty when I echo output is SELECT * FROM students WHERE status=Lead — Sikander, Oct 08 '12 at 21:22
@NullUserException thanks bro!! It worked.... post it as answer — Sikander, Oct 08 '12 at 21:39
@Sikander What will happen when the `$_GET` variable = `';drop table students;'`? — d-_-b, Oct 08 '12 at 21:45
Read and lookup people's (@NullUserException, Lajos, etc.) suggestions for `mysql_real_escape_strings` or `htmlspecialchars` or `htmlentities` :) — d-_-b, Oct 08 '12 at 21:57

score 1 · Accepted Answer · answered Oct 08 '12 at 21:36

1

$status=$_GET['status'];
$query="SELECT * FROM students WHERE status='".$status."'";

and escaping is a good idea, but I think mysql_escape_string is deprecated and its usage is discouraged, you should always use mysql_real_escape_string.

answered Oct 08 '12 at 21:36

Lajos Arpad

64,414
37
100
175

score 0 · Answer 2 · answered Oct 08 '12 at 21:12

0

I'm afraid 'status' is a reserved word for sql: see http://drupal.org/node/141051

Try:

$status = mysql_real_escape_string($status)

$query = "SELECT * FROM `students` WHERE `status` = '$status'";

answered Oct 08 '12 at 21:12

Aubin

14,617
9
61
84

php mysql search by variable?

2 Answers2