4

I have this line of SQL:

$sql = "SELECT ID, ListStID, ListEmail, Title FROM $entry_database WHERE ID = '". $ReqBookID ."'";
$result = mysqli_query($conn, $sql);

As you can see, I am selecting an entry's ID, ListStID, ListEmail and Title Column if ID is equal to a string of numbers (or text), which is given by user in a form.

Everything is ok, and I don't get any syntax error when I write the code (I am using a code editor software. However, when I use it online, I get this error:

Error: SELECT ID, ListStID, ListEmail, Title FROM WHERE ID = '4' You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE ID = '4'' at line 1

I am very new to PHP, and I'm sure I am either adding extra ' or ", so I would really appreciate it if you could help me with this issue. I have tried the answers for similar questions, but no success yet.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Sep
  • 79
  • 1
  • 1
  • 8
  • 3
    `$entry_database` is empty, don't you see it? `... FROM WHERE ...` should be `... FROM `some_table `WHERE ...` – u_mulder Dec 04 '14 at 19:43
  • 2
    I am compelled to point out that you have the possibility of some SQL injection if $ReqBookID can be a malicious value. You may also find that preparing the statement allows you to simplify how it works. –  Dec 04 '14 at 19:46
  • 1
    Either you didn't define `$entry_database` or you shouldn't have the `$` sign in there. I stand at being 50% right ;) – Funk Forty Niner Dec 04 '14 at 19:51
  • 1
    @Fred-ii- 50% correct in this case! – Tim Lewis Dec 04 '14 at 20:04
  • 1
    HA HA HA!! The battle of teachers!! :P :P Thanks to both of you peeps :) – Sep Dec 04 '14 at 20:19

3 Answers3

4

You have empty $entry_database variable. As you see in error: ListEmail, Title FROM WHERE ID bewteen FROM and WHERE should be name of table. Proper syntax of SELECT:

SELECT columns FROM table [optional things as WHERE/ORDER/GROUP/JOIN etc]

which in your way should become:

SELECT ID, ListStID, ListEmail, Title FROM some_table_you_got WHERE ID = '4'
Forien
  • 2,712
  • 2
  • 13
  • 30
  • Ok,So that was my stupidity. The entry_database is the table name, I added the $ in error. Many thanks to you @Forien. Legend!!! – Sep Dec 04 '14 at 19:59
  • @Sep [**Just like I said...**](http://stackoverflow.com/questions/27302605/sql-syntax-error-mariadb-server-version-for-the-right-syntax-to-use-near-where#comment43068611_27302605) - wink. – Funk Forty Niner Dec 04 '14 at 20:08
  • LOL @Fred-ii- Another Awesome hint!! :) I appreciate the words of wisdom!! :) – Sep Dec 04 '14 at 20:23
  • @Fred-ii- I don't suppose you know why my code is throwing error for the update by any chance? :) Thanks alot – Sep Dec 04 '14 at 20:32
  • @Sep Sorry, I don't. – Funk Forty Niner Dec 04 '14 at 20:33
  • @Sep now it seems that $ReqBookID is empty. In your $sql you see `''` instead of `'3286'` or anything – Forien Dec 04 '14 at 20:53
  • @Forien It worked!! You were right! I actually hadn't set it! Rookie Mistake!! :) Thanks alot for your help! :) :) – Sep Dec 04 '14 at 20:54
1

You're missing your database name:

$sql = "SELECT ID, ListStID, ListEmail, Title FROM ".$entry_database." WHERE ID = ". $ReqBookID .";

And make sure that $entry_database isn't null or empty:

var_dump($entry_database);

Also notice that you don't need to have $ReqBookID in '' as if it's an Int.

Tim Lewis
  • 27,813
  • 13
  • 73
  • 102
  • 1
    Inside double quotes, variables will be read. So, his string was constructed fine as long as `$entry_database` is set. – gen_Eric Dec 04 '14 at 19:45
  • Yeah I know, just my convention to always `".$variable."` things for legibility. – Tim Lewis Dec 04 '14 at 19:46
  • Thanks for your response @TimLewis, the entry_database is my table. I'm not sure why I had $ next to it. So how would you write the sql statement? – Sep Dec 04 '14 at 20:01
  • `$sql = "SELECT ID, ListStID, ListEmail, Title FROM entry_database WHERE ID = ". $ReqBookID .";` Like that. Nice and simple! – Tim Lewis Dec 04 '14 at 20:02
  • @TimLewis the line you provided doesn't work. I think it's missing a " somewhere. – Sep Dec 04 '14 at 20:21
  • Oh it is. Oops. Remove the last `."` and it will work. – Tim Lewis Dec 04 '14 at 20:21
  • @TimLewis Thanks Tim, I fixed it, and actually, following Forien response above, I found that I hadn't set the variable!! Thanks for all your help – Sep Dec 04 '14 at 20:56
-2

This problem also arise when we don't give the single or double quotes to the database value.

Wrong way: 

$query ="INSERT INTO tabel_name VALUE ($value1,$value2)";

As database inserting values must be in quotes ' '/" "

Right way: 

$query ="INSERT INTO STUDENT VALUE ('$roll_no','$name','$class')";
aso
  • 1,331
  • 4
  • 14
  • 29
Sundeep Singh
  • 1