Php: sql error " Error: Unknown column 'RM' in 'where clause' with query"

Question

I'm trying to create a php file that searches on a DB that I created with mysql in ubuntu, but when I run the query I get this error but I can not understand why !!! When I print the error, the data I've passed is correct and is displayed in the string !!!!!

I think it's a syntax error but I can not figure out where it is !!!!

This is the excerpt where I create my string and I do my Query:

$sql_find = ("SELECT CITY, ADRESS, CAP FROM PEOPLE WHERE  ID_PERSON = $idperson  AND NAME_PERSON = $name  AND SURNAME = $surname ") ;
print $sql_find;


  $result= mysqli_query($connect,$sql_find) or  die ("Error: ". mysqli_error($connect)." with query ");

The data that is passed are Name, Surname and the id of the person I create in an app. Example:

$idperson=RM120463 $name = Mario $surname = Rossi

When I print the error it also prints the select I created which is:

SELECT CITY, ADRESS, CAP FROM PEOPLE WHERE ID_PERSON = RM120463 AND NAME_PERSON = Mario AND SURNAME = Rossi

Why gives me the error if the query is composed right?

Thanks only you can help me !!!!!

Use prepared statements and parameterized queries to avoid all this. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php — Dan, May 08 '18 at 16:29
Possible duplicate of [When to use single quotes, double quotes, and back ticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-back-ticks-in-mysql) — aynber, May 08 '18 at 16:32

Felippe Duarte · Accepted Answer · 2018-05-08T16:30:26.280

1

You forgot the quotes:

"SELECT CITY, ADRESS, CAP FROM PEOPLE WHERE  ID_PERSON = '$idperson'  AND NAME_PERSON = '$name'  AND SURNAME = '$surname'"

By the way, I can't see all of your code, but probably is vunerable to SQL Injection. Take a look if you are using the data directly from using input ($var = $_POST['...']) and replace with prepared statement and bind parameter.

edited May 08 '18 at 16:30

answered May 08 '18 at 16:28

Felippe Duarte

14,901
2
25
29

Thank you !!! but how come when I insert in the code and execute the query gives me this result 'Fatal error: Uncaught Error: Call to undefined function mysql_fetch_array()'? – Andrea May 11 '18 at 16:09
Use mysqli_fetch_array (attention to the **i** ) – Felippe Duarte May 11 '18 at 16:16

score 0 · Answer 2 · answered May 08 '18 at 16:28

You missing the quote around var

  $sql_find = ("SELECT CITY, ADRESS, CAP 
          FROM PEOPLE 
          WHERE  ID_PERSON = $idperson  
          AND NAME_PERSON = '$name'  
          AND SURNAME = '$surname'; ") ;

But you should not use PHP var in SQL .. you should take a look at you db driver for binding param .. the use for binding param avoid the risk for SQL injection and produce the correct value during binding

vogomatix · Answer 3 · 2018-05-08T16:54:36.563

0

Avoid the risk of SQL injection attacks by binding your parameters. Also it is neater to use object oriented code:

$sql_find = <<<EOT
SELECT CITY, ADRESS, CAP FROM PEOPLE 
WHERE ID_PERSON = ? AND NAME_PERSON = ? AND SURNAME = ?
EOT;
print $sql_find;

$stmt = $connect->prepare( $sql_find);
$stmt->bind_param( 'sss', $id_person, $name, $surname);

$stmt->execute() or
    die ("Error: ". $stmt->error()." with query ");

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
   // gets assoc array with 'CITY', 'ADRESS' and 'CAP' elements..
}

edited May 08 '18 at 16:54

answered May 08 '18 at 16:40

vogomatix

4,856
2
23
46

thank you so much !!! I try to execute your hear but when I insert it in my code when I write: '$ sql_find = <<< EOT' all the code that I have after is internal as if it were a parameter even if I use 'EOT;' could you help me? – Andrea May 11 '18 at 15:46
If you're having problems, just put the same thing in normal quotes - I just like heredocs. – vogomatix May 13 '18 at 19:40

Php: sql error " Error: Unknown column 'RM' in 'where clause' with query"

3 Answers3