Take search term, check for it in database, returning matching term MySQL php

Question

this seems like such a simple error, but i'm completely stuck. Here is the code:

 if (!empty ($_POST['searchbird'])){
        $searchbird=rawurlencode(trim($_POST['searchbird']));
        $result = mysql_query("SELECT `sciname` FROM `wp_birds` WHERE $searchbird = `comname`");
    if (!$result) {
        echo 'Could not run query: ' . mysql_error();
        exit;
    }
    $searchterm = mysql_fetch_row($result);

the SQL database is setup Col 4 is the comname and col 5 is the sciname

and here is the error Could not run query: Unknown column 'this is the searchterm' in 'where clause'

Answer 1

This is your current query,

SELECT `sciname` FROM `wp_birds` WHERE $searchbird = `comname`

if the data type of comName is string, the value should be enclosed with single quotes since they are literals.

SELECT `sciname` FROM `wp_birds` WHERE  `comname` = '$searchbird' 

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

• How to prevent SQL injection in PHP?

Answer 2

First of all, you are exposing yourself to SQL injection. Before doing anything else, you will need to cover this. The PDO library makes it very easy and safe.

Regarding your question, the final query is the following:

SELECT sciname FROM wp_birds WHERE this is the searchterm = 'comname'

What you are looking for is the following (note the quotation marks):

SELECT sciname FROM wp_birds WHERE comname = 'this is the searchterm'

But you should not do that, because you are still exposed to SQL injection.