How to include a variable in a field in sql statement using php?

Question

I am writing a php script to query a MYSQL database. However, I may have a syntax error that makes my code not work.

If I do not use a variable and subsitute $errType for 'version'(for example), everything works fine. I am having issues with using a variable in place for a field.

 $errType = $_POST['errorCategory'];
 $errType = $mysqli->real_escape_string($errType);

 $sql = "SELECT * FROM codecError WHERE '$errType' ='0' ";
 $result = $mysqli -> query($sql);
 $count = $result -> num_rows;

 if($count > 0){
 }

Do *not* create SQL queries like this. Use [prepared statements](https://en.wikipedia.org/wiki/Prepared_statement). — Phylogenesis, Jan 20 '17 at 15:26
Can you show some `codecError` table data... and what comes to php in `$_POST['errorCategory']` ? — Pipe, Jan 20 '17 at 15:29
its better to echo your query `echo $sql = "SELECT * FROM codecError WHERE '$errType' ='0' ";` and run this on php myadmin, chk either working or not? — devpro, Jan 20 '17 at 15:31
Per the update, `$errType = 'version';` has the same behavior? — chris85, Jan 20 '17 at 15:32
than run this query in phpmyadmin `SELECT * FROM codecError WHERE version ='0'` and chk getting result or not? — devpro, Jan 20 '17 at 15:33
@chris - same. sql statement does not work. but direct replacement with 'version' does work. — dave, Jan 20 '17 at 15:33
Well `'version'` is a string (in SQL), `version` or that surrounded by backticks is a column. — chris85, Jan 20 '17 at 15:34
Column names should not be quoted with single quotes. Use backticks for column names. `\`$errType\`` — aynber, Jan 20 '17 at 15:35
Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) — chris85, Jan 20 '17 at 15:37
you must not add space between `$mysqli` & `->` and `->` & `query()` (and the same on the following line) — ᴄʀᴏᴢᴇᴛ, Jan 20 '17 at 15:41

score 0 · Accepted Answer · edited Jan 20 '17 at 15:27

0

Maybe you mean?

$sql = "SELECT * FROM codecError WHERE {$errType} ='0'";

You could also write it as

$sql = "SELECT * FROM codecError WHERE ".$errType." ='0'";

edited Jan 20 '17 at 15:27

devpro

16,184
3
27
38

answered Jan 20 '17 at 15:24

Bearzi

538
5
18

Did you check the SQL Syntax? Furthermore $mysqli -> cannot work, as well as with $result... In case that you have spaces here, not sure if it is just a formatting issue. – Bearzi Jan 20 '17 at 15:28
2

All three cases are the same. OP is using double quotes. – chris85 Jan 20 '17 at 15:29
1

@dave you say it does not work but accept it as an answer ? – ᴄʀᴏᴢᴇᴛ Jan 20 '17 at 15:38

How to include a variable in a field in sql statement using php?

1 Answers1