Failed to run query: SQLSTATE[42000]: Syntax error or access violation: 1064

Question

I've looked at a bunch of other threads with the same error, however mine seems to be a bit different. I've already checked for missing commas and stuff.

This is the original code that doesn't work:

SELECT `color_name`, `dna_sample` FROM `horse_color_base` WHERE `dna_sample` = $dna 

However, if you change $dna to "eeee aaaa" (what the value of $dna is) it works perfectly.

SELECT `color_name`, `dna_sample` FROM `horse_color_base` WHERE `dna_sample` = 'eeee aaaa'

The validation error reads:

Failed to run query: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'aaaa' at line 1

It seems like it's breaking up the $dna variable, which is screwing everything up.

Thoughts or ideas on how to make this thing work with the variable?

I'm using collation latin1_general_cs for the dna and dna_sample columns because I need them to be case sensitive.

Answer 1

Like Michael Berkowski comments, quote the variable:

WHERE `dna_sample` = '$dna'

Writing a query this way is open to SQL injection. It's almost always better to write a query with bound parameters:

$stmt = $pdo->prepare('SELECT * FROM horse_color_base WHERE dna_sample = :dna');
$stmt->execute(array('dna' => $dna));