-2

I'm trying to use a variable within a query WHERE statement, but it shows 0 results. If I directly hard code the text instead of using the variable, it works. The variable is pulling from a $_GET, and if I echo that variable, it is showing the correct text.

Here's my code:

$Domain = $_GET['Domain'];
$result = mysql_query(SELECT Code, Title, Domain, Status FROM tablename WHERE Domain="$Domain" ORDER BY Code');

If I swap out $Domain for direct text, like ABC, it works. I have tried swapping out the quotes and single quotes throughout the statement, removing the quotes around $Domain, concatenating the statement separately.... all yield erros or the same result.

And as stated, if I echo $Domain, it shows ABC (or whatever it's supposed to show), so I know it's pulling correctly from the $_GET.

Anyone know what I'm doing wrong?

Peter O.
  • 32,158
  • 14
  • 82
  • 96
sleepywan
  • 27
  • 1
  • 5
  • 1
    1. Missing quotation marks. 2. SQL injection vulnerability ahead; [please read here for tips on how to prevent it](http://bobby-tables.com). 3. Use `mysqli_` or `PDO` instead of `mysql_`. – Barranka Aug 22 '14 at 16:00

2 Answers2

2

Use this, 

mysql_query("SELECT Code, Title, Domain, Status FROM tablename WHERE Domain='$Domain' ORDER BY Code");

Place the query within "...", and put '...' around your variable $Domain.

Erlesand
  • 1,525
  • 12
  • 16
  • 1
    A note: you should not be using `mysql_* functions`, instead you should upgrade to `mysqli` or `PDO`. – Erlesand Aug 22 '14 at 15:31
  • Still better to do `'" . $Domain . "'`. Newbies get very confused and think `'$_GET['Domain']'` would also work (it doesn't work ofc). – Daniel W. Aug 22 '14 at 15:34
  • I have switched out the quotes and it always threw several errors. So of course I do it again now and it works. :-\ Thanks for the help - not sure why this didn't work before! – sleepywan Aug 22 '14 at 15:38
1

You missed a quote just before SELECT

$result = mysql_query( SELECT Code, Title, Domain, Status FROM tablename WHERE Domain="$Domain" ORDER BY Code');
                      ^ right there

change it to:

$result = mysql_query('SELECT Code, Title, Domain, Status FROM tablename WHERE Domain="$Domain" ORDER BY Code');

However, you would be better off changing it to: (and see notes about prepared statements below)

$result = mysql_query("SELECT Code, Title, Domain, Status FROM tablename WHERE Domain='$Domain' ORDER BY Code");

or Domain='".$Domain."' if using Domain='$Domain' fails.

"If I swap out $Domain for direct text, like ABC, it works."

A: That's because the string that is being passed through most likely contains characters that need escaping. I.e.: Colons, slashes http:// and dots http://www.example.com etc.

Since you were using ABC as a simple string with nothing else to hamper the execution of SQL, it passed.

Using mysql_real_escape_string() would have helped, including stripslashes()

I.e.: $Domain = mysql_real_escape_string($_GET['Domain']);

Important note

Do use mysqli_ with prepared statements, or PDO with prepared statements, they're so much better to work with, and safer. Because as it stands, your present code is open to SQL injection.

Using error reporting is a must also:

and or die(mysql_error()) to mysql_query() which will signal errors found in code.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • I missed the quote above, but not in my actual code. As per another comment, i swapped the quotes again and somehow it worked this time (but not the other times i tried to do it). Thanks! – sleepywan Aug 22 '14 at 15:39
  • @sleepywan You're welcome. The types of quotes and how you quote variables and queries, is a factor. Prepared statements would take care of that a lot easier. – Funk Forty Niner Aug 22 '14 at 15:40
  • @sleepywan I've added some additional information in my answer for you to read, as to why using `ABC` worked but not the variable. Reload the answer. – Funk Forty Niner Aug 22 '14 at 15:51
  • @sleepywan You're welcome. I hope my explanation as to why it was failing has helped you understand the errors. – Funk Forty Niner Aug 22 '14 at 16:15