Query is empty, why?

Question

Here is my code:

<?php
    $_SETTINGS = $GLOBALS["_SETTINGS"];
    $trigger = $_SETTINGS->fields->trigger->value;
    echo $trigger . " = " . $_GET[$trigger] . "</br>";
    $townQry = "SELECT * FROM towns WHERE id = '" . $_GET[$trigger] . "'";
    echo $townQry . "</br>";
    $result = mysql_query($cityQry) or die('Could not retreive towns: ' . mysql_error());

    while ($town = mysql_fetch_assoc($result)) {
        echo $town["town_name"];
    }
?>

This is what it is echoing out:

town_id = 2
SELECT * FROM towns WHERE id = '2'
Could not retreive towns: Query was empty

Isn't the SQL valid...!?

Your variable is `$townQry`, not `$cityQry`. You must at a minimum call `mysql_real_escape_string()` on `$_GET[$trigger]`. This is wide open to SQL injection. — Michael Berkowski, Jun 07 '13 at 18:53
Yeah, that all happens elsewhere. You got it Mike. Create an answer. — Rick Bross, Jun 07 '13 at 18:53
Please [read this carefully](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) and consider using an API supporting prepared statements. — Michael Berkowski, Jun 07 '13 at 18:55

score 3 · Accepted Answer · answered Jun 07 '13 at 18:54

3

You use $cityQry in your query, but the query is in $townQry.

$result = mysql_query($townQry) or die('Could not retreive towns: ' . mysql_error());

Additional

Your query is wide open to sql injection, I'd advice you to Google prepared statements.

answered Jun 07 '13 at 18:54

MaX

1,765
13
17

score 1 · Answer 2 · answered Jun 07 '13 at 18:54

1

You are calling the query:

mysql_query($cityQry)

But your query variable is named $townQuery.

It should be:

mysql_query($townQuery)

answered Jun 07 '13 at 18:54

Bad Wolf

8,206
4
34
44

Query is empty, why?

2 Answers2