PHP - Trouble with SQL query

Question

I have this query:

SELECT * FROM items WHERE itemcategory= 123 AND itemname LIKE '%abc%';

I want to pass parameters to itemcategory and itemname; I tried something like this:

SELECT *  FROM items WHERE itemcategory=".'$categoryid'." AND itemname LIKE" ."'%$itemname%'"." AND shopid=5003;

It didn't work. Can anyone help?

In what way did it not work? Did you get a specific error message? — Robert Columbia, Aug 12 '16 at 16:05
the 2nd sql statement has the quotes mixed up ~ more like `"SELECT * FROM items WHERE itemcategory='".$categoryid."' AND itemname LIKE '%".$itemname."%' AND shopid=5003;";` — Professor Abronsius, Aug 12 '16 at 16:05
@AlexParser go back and run it again and post the exact error message that you receive. — Robert Columbia, Aug 12 '16 at 16:05
$itemname is the parameter and I want to pass it in the place of abc. — Alex Parser, Aug 12 '16 at 16:06
Possible duplicate of [this](http://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-insert-statement) — Mingle Li, Aug 12 '16 at 16:07
What is the actual resulting query being executed and what is the actual error message? "I'm building a query and getting an error" doesn't tell us anything. — David, Aug 12 '16 at 16:08
PHP Parse error: syntax error, unexpected end of file in C:\inetpub\vhosts\personalwebars.com\httpdocs\compare.php on line 163 — Alex Parser, Aug 12 '16 at 16:08

score 1 · Accepted Answer · edited May 23 '17 at 12:22

What you are doing is nearly right, but you can de complicate the string concatenation, if you remember that $var is automatically expanded in a double quoted string

So this is easier to read and notice spacing issues, which is all I think that was wrong with your statement

$q =   "SELECT * 
        FROM items 
        WHERE itemcategory = '$categoryid' 
          AND itemname LIKE '%$itemname%'
          AND shopid=5003";

Assuming you have valid data in these variables this should work

The only danger with doing this rather than using prepared parameterised queries is that you risk SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared statement and parameterized statements

PHP - Trouble with SQL query

1 Answers1