put double quote on php variable that holding string value in mysql

Question

<?php
$user_id = 23;
$abc_username = "orange apple";

"WHERE u.user_type = 2 AND u.status = 1 AND (u.sponsor_id = '".$user_id."' OR u.placement = '".$abc_username."' )"

Syntax error on '".$abc_username."' because '".(only accept integer, not accept string)."'; May you tell me what is the correct syntax to put php variable that holding string value?

I have tried \'".$abc_username."\' as the solution from this page Put double quotes in a mysql string with PHP

but still syntax error.

The code you posted looks fine to me (assuming you assign that string to a $query variable?), but you should really look at prepared statements using parameters in your query to protect yourself from SQL injection. The code you posted here is very vulnerable. See https://www.w3schools.com/php/php_mysql_prepared_statements.asp — Jules, Apr 17 '20 at 11:08

score 0 · Answer 1 · answered Apr 17 '20 at 11:06

0

Why not using sprintf()

$query = sprintf("WHERE u.user_type = 2 AND u.status = 1 AND (u.sponsor_id = %d OR u.placement = %s )", $user_id, $abc_username);

answered Apr 17 '20 at 11:06

Ali_k

1,642
1
11
20

put double quote on php variable that holding string value in mysql

1 Answers1