2

Got a problem trying to get this SQL query to work in my php. id is in the URL and then i want to use it as a variable $id with the select statement.. struggling to see what i am doing wrong

        require ("scripts/connect.php");

        if (isset($_GET['id'])) {
               $id = $_GET['id'];

        $get = mysql_query("SELECT * FROM media WHERE id = '" . $id . "'"));
ManWithNoName
  • 67
  • 2
  • 13
  • 1
    Don't put user input into your SQL queries. See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – melpomene Jul 02 '16 at 10:10
  • 2
    You've got at least two syntax errors there: Missing `}` and extra `)`. – melpomene Jul 02 '16 at 10:10
  • Isn't the php interpreter telling you what is wrong? It should you `syntax error, unexpected ')'` – PaulH Jul 02 '16 at 10:19
  • Indent the `$get` variable for readability and then close the `if`after the variable (you forgot a closing `}`). I also suggest, as a minimal injection protection, typehint `$id` with `(int)` in your SQL query. **That is the least you can do!**. Use prepared statements instead. – aborted Jul 02 '16 at 10:22
  • Thanks for your comments, i was getting "currently unable to handle this request." message which wasn't much use really. melpomene was right the extra ) caused this. There is an additional } but just didnt include it here as i knew it was the $get line causing the problem, dont know how i didnt spot the extra } myself. – ManWithNoName Jul 02 '16 at 10:22

1 Answers1

0

typo in the code:

   $get = mysql_query("SELECT * FROM media WHERE id = '" . $id . "'"));

should be 

$get = mysql_query("SELECT * FROM media WHERE id = '" . $id . "'");

amd I agree with comments regarding user input in the query - uae PDO and parametised bound variables

gavgrif
  • 15,194
  • 2
  • 25
  • 27