php mysql query with hyphen character

Question

I have a query problem with hyphen character.

$user = "test-user";
$q = @mysql_query("SELECT id FROM table WHERE user='$user'");
echo mysql_error(); //no error message

test-user record is in table but query result coming empty. Also mysql error message is empty. What is wrong?

EDIT: Thank you for answers. I apologize to everyone. I found the problem and I see now the problem is not in the query. Problem coming form regex.

if (preg_match("/^[a-z0-9]+$/i", $user)) //dash character not in regex
{
$q = @mysql_query("SELECT id FROM table WHERE user='$user'");
}

I've corrected the problem as follows:

if (preg_match("/^[a-z0-9\-]+$/i", $user)) //added \- to regex for dash
{
$q = @mysql_query("SELECT id FROM table WHERE user='$user'");
}

For one thing - don't use `@` to suppress the error message from `mysql_query`; for another - you should look at using mysqli_* instead, as the mysql_ functions are deprecated. — andrewsi, Feb 09 '14 at 17:31
Give your table with sample date, that is not working. The error is very minor - it has nothing to do with hyphen. — user4035, Feb 09 '14 at 17:33
It may just be your example, but 'table' is a reserved word in MySQL and thus needs to be back-ticked. But you should be back ticking all table and columns names by course of habit. — JamesG, Feb 09 '14 at 17:38
`$q = mysql_query("SELECT id FROM \`table\` WHERE user='".$user."'") or die(mysql_error());` — Mr. Radical, Feb 09 '14 at 17:45
@andrewsi Please stop lecturing on `mysql_` commands versus `mysqli_` it’s pedantic & ignores the core question. — Giacomo1968, Feb 09 '14 at 17:53

score 0 · Answer 1 · answered Feb 09 '14 at 17:44

0

Just use mysql_real_escape_string to escape the data string.

$user = "test-user";
$user = mysql_real_escape_string($user);
$q = @mysql_query("SELECT id FROM table WHERE user='$user'");
echo mysql_error(); //no error message

But I would also recommend using or die() syntax instead of the @mysql_query you have in place.

$user = "test-user";
$user = mysql_real_escape_string($user);
$q = mysql_query("SELECT id FROM table WHERE user='$user'") or die ("Error: " . mysql_error());

answered Feb 09 '14 at 17:44

Giacomo1968

25,759
11
71
103

And note that the mysql_ suite of functions are deprecated – Strawberry Feb 09 '14 at 17:51
@Strawberry And who cares about `mysql_`, but the reality is that is a really pedantic way to respond to a question. And harassing posters on this site about that is frowned upon. The original poster should code as they should and if the `mysql_` stop working, that is their problem. – Giacomo1968 Feb 09 '14 at 17:52

score 0 · Answer 2 · edited Feb 18 '16 at 10:44

0

Any difference if you change the query to:

$q = mysql_query("SELECT id FROM table WHERE user='".$user."'");

Unless I'm having a very slow Sunday I think you're searching for the literal string $user rather than the variable value.

edited Feb 18 '16 at 10:44

Kruti Patel

1,422
2
23
36

answered Feb 09 '14 at 17:49

steve

2,469
1
23
30

That shouldn't make a difference - the string is wrapped in double quotes, so `$user` will be substituted properly. – andrewsi Feb 09 '14 at 18:03

Mr. Radical · Answer 3 · 2014-02-09T18:34:30.110

0

Try this:

$user = "test-user";
$q = mysql_query("SELECT id FROM `table` WHERE user='".$user."'")
    or die(mysql_error());//no error message;

Full example with mysqli_:

    $host = "";
    $user = "";
    $password = "";
    $database = "";   

    $user_name_query = "test-user"; // If this value is from a form please read more about sql-injection. 

    // open connection to database
    $link = mysqli_connect($host, $user, $password, $database);
        IF (!$link){
            echo ("Unable to connect to database!");
        }
        ELSE {
           // SELECT QUERY
           $query = "SELECT id FROM `table` WHERE user='".$user_name_query."'";
         mysqli_query($link,$query)  or die("Query failed");

        }
// close connection to database
        mysqli_close($link);

edited Feb 09 '14 at 18:34

answered Feb 09 '14 at 17:57

Mr. Radical

1,847
1
19
29

A post on sql-injection can be found at: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php. – Mr. Radical Feb 09 '14 at 18:35
@webmaster you could change the `=` into `LIKE` and then use wild cards for the text search. – Mr. Radical Feb 09 '14 at 19:03

score 0 · Answer 4 · answered Feb 09 '14 at 18:06

0

       $p = mysql_query("SELECT id FROM table WHERE user='$user'");
        if (!$p) 
        {
            die('Could not query:' . mysql_error());
        }
        else
        {
            echo mysql_result($p>0);
        }

try it

answered Feb 09 '14 at 18:06

Ferrakkem Bhuiyan

2,741
2
22
38

php mysql query with hyphen character

4 Answers4