0

Here is the warning:

user warning: Unknown column 'student2' in 'where clause' query: SELECT first, last, id FROM sgp_student_log WHERE username1 =student2 in .../public_html/includes/common.inc(1731) : eval()'d code on line 18.

Here is the code: 

<?
global $user;
$rus = db_query("SELECT first, last, id FROM {student_log} WHERE username1 =%s", $user->name); 
$ruw = db_fetch_array($rus);
print_r($ruw);
?>

OF COURSE SOMETHING LIKE the following will work

<?
global $user;
$res = db_query("SELECT first, last, id FROM {student_log} WHERE username1 ='student2'"); 
$row = db_fetch_array($res);
print_r($row);
?>
ingrid
  • 555
  • 4
  • 17
  • 1
    You need to *quote* string literals e.g. `'%s'` (remembering to ensure they have been escaped against [SQL injection attacks](http://stackoverflow.com/q/332365)). Or better yet, [pass them as parameters to prepared statements](http://stackoverflow.com/a/60496). – eggyal Jan 21 '13 at 23:50
  • what is a prepared statement? What are string literals? What does 'escape them against sql injections' mean? – ingrid Jan 21 '13 at 23:51
  • 1
    `'student2'` is a string literal, in that you want MySQL to interpret it as a literal *string* of characters (rather than an SQL token or identifier, such as the name of a column). String literals must be quoted in SQL, or else MySQL will not realise that's what it is. Follow the links above to learn about prepared statements and SQL injection. – eggyal Jan 22 '13 at 00:00
  • Thanks. Should I delete the question? You were right, simply needed to add the '' around %s. – ingrid Jan 22 '13 at 00:05

0 Answers0