You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version~~

Question

I have a problem with my search engine. I can search but when clicking the link this what come out "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Pacina' at line 1"... I dont know how to fix it.Your answer might be a big help for me.. :)

This is my code:

<?php
    mysql_connect("localhost","root","");
    mysql_select_db("infokiosk");

    $name=$_GET['name'];
    $sql = mysql_query("select * from  basicinfo WHERE name=$name") or die(mysql_error());

While($row = mysql_fetch_array($sql)) {

$id= $_GET['id'];
$name=$_GET['name'];
$description=$_GET['description'];

{
?>
  <tr>
<td><?php echo $name; ?></td><?php echo $description; ?>
</tr>




    </div>
<?php }} ?>

<br>
<?php
 $sql = mysql_query("select * from  staffreg WHERE name LIKE '%$search%' or description LIKE '%$search%' or keyword LIKE '%$search%'") or die(mysql_error());

While($row = mysql_fetch_array($sql)) {

$id= $row['id'];
$name=$row['name'];
$description=$row['description'];
{
?>






<tr>
<td><?php echo $name; ?></td>
<?php echo $description; ?>
<?php echo $status; ?>
</tr>





    </div>
<?php }}?>

<?php
 $sql = mysql_query("select * from  search WHERE name LIKE '%$search%' or description LIKE '%$search%' ") or die(mysql_error());

While($row = mysql_fetch_array($sql)) {

$id= $row['id'];
$name=$row['name'];
$description=$row['description'];
$content=$row['content'];

{
?>






<tr>
<td><?php echo $name; ?><br> <?php echo $content ?></td>

</tr>




    </div>
<?php }}?>

I dont know what/where line is the problem.. :( thanks in advance.. :)

You probably need quotes around `$name` in this line:`"select * from basicinfo WHERE name=$name"`, but actually you need a whole lot more as this is asking for an SQL Injection attack. — , Apr 28 '14 at 05:23
You should read on [how to prevent SQL injections in PHP](http://stackoverflow.com/q/60174/53114). — Gumbo, Apr 28 '14 at 05:28

score 3 · Accepted Answer · edited May 25 '19 at 13:52

string should be surrounded with the single quote in query,

"SELECT * FROM  basicinfo WHERE `name`='".$name."'";

Waring: Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

score 0 · Answer 2 · edited Apr 28 '14 at 05:36

for your SELECT statement you need to make $sql like

 $sql = mysql_query("select * from  search WHERE name LIKE '%".$search."%' or description LIKE '%".$search%"."'") or die(mysql_error());

and ur another select statement

$sql = mysql_query("select * from  basicinfo WHERE `name`='$name'") or die(mysql_error());

This (mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, Prepared Statements of MySQLi or PDO_MySQL extension should be used to ward off SQL Injection attacks !

score 0 · Answer 3 · edited Apr 28 '14 at 05:52

Server version: 5.5.32 - MySQL Community Server (GPL)

**$sql = mysql_query("select * from  staffreg WHERE name LIKE '%".$search."%' or description LIKE '%".$search."%' or keyword LIKE '%".$search."%'") or die(mysql_error());**

**$sql = mysql_query("select * from  search WHERE name LIKE '%".$search."%' or description LIKE '%".$search."%' ") or die(mysql_error());**

USE Mysql latest version install your system and all query you should write after print your browser. and run sql (PHPMYADMIN). GET result..

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version~~

3 Answers3