1

For example:

$sql = "SELECT * FROM purch_inv WHERE '".$anyrow."'='".$anyrecord."'";

or

$sql = "SELECT * FROM '".$table."' WHERE 'rowabc'='".$anyrecord."'";

I have been trying this but it is not working, any ideas?

Jan
  • 42,290
  • 8
  • 54
  • 79
Nasir Hussain
  • 139
  • 1
  • 9

4 Answers4

1

In php you could use variables in double quotes (ex.)

$name = 'John';
$var = "Hello $name!";

It shows: Hello John.

With single quotes (ex.)

$name = 'John';
$var = 'Hello $name!';

It shows: Hello $name.

MrWoGu
  • 144
  • 7
1

Single-quotes mark a string literal.
But you want identfiers; 

SELECT * FROM identifier1 WHERE identifier2='stringliteral'

a table name is an identifier. Identifiers always can (and sometimes must) be wrapped in backticks.

SELECT x,y,z FROM `foo`

When I said a table name is an identifier, that wasn't entirely correct. In SELECT ... FROM foo foo is a name; it just so happens to be comprised of only one identifier, which is the table name.
There can be compound or multiple-part names, consisting of multiple identifiers connected via a dot between the parts. In that case you can (or must) wrap each single identifier in backticks; not the the whole name

SELECT x,y,z FROM `mydatabase`.`foo`

The fields you select (i.e. x,y and z in this case) are also names; so the same rules apply

SELECT `x`,`y`,`z` FROM `mydatabase`.`foo`

and again, in case you have multipart names you have to wrap each identifier individually in backticks, not the whole name

SELECT
    `foo`.`x`,
    `bar`.`x`,
    `foo`.`y`,
    `bar`.`z`
FROM
    `foo`
JOIN 
    `bar`
ON
    `foo`.`x`>`bar`.`y`

So, when do you use single quotes?
When you want a literal string in your query, like e.g.

SELECT x,y FROM foo WHERE y='abc'

this tells the MySQL parser that you want to compare the value of the field y to the string (literal) abc while

SELECT x,y FROM foo WHERE y=`abc`

would compare the value of the field y to the value of the field abc (which in my example doesn't exists and would therefore raise an error)

Full circle back to your question

$sql = "SELECT * FROM `$table` WHERE `rowabc`='$anyrecord'";

But please keep a good eye on http://docs.php.net/security.database.sql-injection regarding $anyrecord.
And make sure it is you (not the user) who is in control of $table.

VolkerK
  • 95,432
  • 20
  • 163
  • 226
0

yes you can

but you can't qoute the table name and column name

$sql="SELECT * FROM ".$table." WHERE rowabc='".$anyrecord."'";

the other example should be like this

$sql="SELECT * FROM purch_inv WHERE ".$anyrow."='".$anyrecord."'";
hassan
  • 7,812
  • 2
  • 25
  • 36
0

Obviously you need to think about SQL injection with the variables getting passed into your select query! So because table and column names cannot be replaced by parameters in PDO, you could use a function to create a whitelist of table names to pass into your query, then use a function with PDO to execute the statement:

$myWhitelist = array('table1', ...)

$myTable= array_intersect_keys($table1, array_flip($whitelist));

So now $table1 is safe to pass into your select function:

function select($conn, $table1, $someColumn) {
$myvar = $conn->prepare("SELECT FROM ".$table1." WHERE id = :someColumn");
$myvar->bindParam(":someColumn", $someColumn, PDO::PARAM_INT);
$myvar->execute();  

if ($myvar->rowCount() > 0) {
        return true;
} else {
        return false;
}

}

Community
  • 1
  • 1
Hexana
  • 1,095
  • 2
  • 12
  • 35