how to pass String Datatype value from query string in php

Question

I have an issue passing string value using query string in PHP. I am using a PhpMyAdmin database.

Below is my query string :

http://192.168.0.106/PHP/webservice/comments.php?city_town='Vadodara'

and my php code is as below :

if(isset($_GET["city"])){
    @$city = $_GET["city"];

//echo $city;
$query = "select * from shop_detail where city_town ='". $city ."' ";

Looks like problem is you are getting "city" instead of "city_town" — Maxqueue, Jun 03 '15 at 13:20
1. PHP name differs from element. 2. You have quotes in the value being passed in. 3. You're open to SQL injections with this code, separate user input from query. 4. Don't use `@`. Don't suppress errors. — chris85, Jun 03 '15 at 13:22

Saty · Answer 1 · 2015-06-03T17:13:07.223

1

Use city_town not city And use mysqli_real_escape_string to prevent sql injection and also table and column name in backtick

if(isset($_GET["city_town"])){
    $city = mysqli_real_escape_string($conn,$_GET["city_town"]);

//echo $city;
$query = "select * from `shop_detail` where `city_town` ='". $city ."' ";

edited Jun 03 '15 at 17:13

answered Jun 03 '15 at 13:19

Saty

22,443
7
33
51

The `mysqli_real_escape_string` requires the connection, no? Also it's not clear to me that the OP is using mysqli. I'd just point the OP to this thread for SQL injection prevention, http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1. – chris85 Jun 03 '15 at 14:23

how to pass String Datatype value from query string in php

1 Answers1