1

I am using this code 

<?php
  $word = $_POST['word'];
  $wid= $_POST['id'];
  print "<table>";
  print "<tr>";
  $sql= 'SELECT url_imgsrch FROM p_url_imgsrch where 'word_id'='[$wid]' ORDER BY RAND() LIMIT 5';
  $result   =   mysql_query($sql);
  while($row = mysql_fetch_array($result)){

           print ' <td>
               <img name="myimage" src="'.$row[0].'" width="100" height="100" alt="word" border="1"/>
            </td>';
  }
  print "</tr>";
  print "</table>";
  ?>

What I am doing is to get one field from mysql using where clause, but it shows an error

Parse error: syntax error, unexpected T_STRING in D:\wamp\www\demo\login\card.php on line 21

and line 21 holds 

$sql= 'SELECT url_imgsrch FROM p_url_imgsrch where 'word_id'='[$wid]' ORDER BY RAND() LIMIT 5';

Kindly guide me what is the blunder I am doing? Guideline please.

One thing I think I should make clear is "ord_id field" is Numeric(int)

Shantha Kumara
  • 3,272
  • 4
  • 40
  • 52
Zaffar Saffee
  • 6,167
  • 5
  • 39
  • 77

4 Answers4

5

On this line:

$sql= 'SELECT url_imgsrch FROM p_url_imgsrch where 'word_id'='[$wid]' ORDER BY RAND() LIMIT 5';

Notice specifically how Stack Overflow's syntax highlighter treats it, especially around the term word_id. What you're doing with those single-quotes is terminating the PHP string and then throwing in an unknown term, word_id. PHP doesn't know what to do with this, so it gives the error you're seeing.

Is there a reason you're using single-quotes around the term word_id? Should it be a string in the SQL statement? I'm guessing it shouldn't. You should be able to just reference the column in the table directly in the query. Something like this:

$sql= 'SELECT url_imgsrch FROM p_url_imgsrch where word_id='[$wid]' ORDER BY RAND() LIMIT 5';

Note that the PHP syntax parsing is completely separate from the SQL syntax parsing. All you're doing in this code is building a string to send to the database. The database will, afterward, parse that string as SQL code. So mixing PHP and SQL should be done with care so as to not produce invalid SQL, or you'll get more errors even though your PHP code is fine. (You should also, as noted in a comment on the question and in other answers, look into things like SQL Injection Attacks and learn how to further protect your code. The code may work, but it may at the same time present glaring security holes. See the rest of this answer, and other answers, for more details on this. It is important.)

Quick question, and maybe this is just syntax with which I'm not immediately familiar... why are there square brackets around the $wid variable in that statement? I'm more familiar with MSSQL than with MySQL, and in the former square brackets signify a database object (not a variable, such as a string to match against a database object), which doesn't seem to be what you want here. It's likely you actually mean this:

$sql= "SELECT url_imgsrch FROM p_url_imgsrch where word_id='$wid' ORDER BY RAND() LIMIT 5";

Note two differences:

  1. Got rid of the square brackets.
  2. Changed the first and last quotes of the line from single quotes to double quotes. Both single quotes and double quotes can be used to denote strings in PHP. In this particular case, the double quotes are useful because they allow you to include single quotes within the string itself (without having to be escaped, which would make it more difficult to read).

Finally, and as others have also pointed out, this code needs to be protected against SQL injection attacks. The most immediate and apparent way to do this is with mysql_real_escape_string(), more information here. What this function essentially does is convert a string into a more SQL-safe string by escaping control characters and such. You'd wrap any and all input strings with this before adding them to the SQL string:

$wid = mysql_real_escape_string($wid);
$sql= "SELECT url_imgsrch FROM p_url_imgsrch where word_id='$wid' ORDER BY RAND() LIMIT 5";

You can also consider taking further steps to reduce your SQL vulnerabilities, as well as potentially result in cleaner code. Consider looking into PHP Data Objects to represent your database interactions instead of just building SQL strings directly in code.

David
  • 208,112
  • 36
  • 198
  • 279
  • -1 for just *mentioning* escaping at the very bottom of this wordy answer instead of including it in the code. – Your Common Sense Jan 18 '12 at 14:56
  • @David thanks for such a nice and detailed answer, it helps me a lot in learning process. also, the sysntex of sql you provided is working, and also, my idea is clear now about adding php variable. also got some know-how of sql injection..really thanks bro – Zaffar Saffee Jan 18 '12 at 14:58
  • @Col.Shrapnel: Point taken, I should have known better. (It's advice I've given others on Meta and just blatantly ignored it here.) Answer has been edited. Thanks! – David Jan 18 '12 at 15:04
  • +1 because @Col.Shrapnel needs to chill out... escaping the sql is important but not what the question is about. – Jeremy Holovacs Jan 18 '12 at 15:05
  • @JeremyHolovacs: Honestly, I agree with him. You're right, it's not the essence of the question. However, on multiple occasions I've advised people on Meta that they should "assume any code given in an answer will one day be blindly copied/pasted into someone's production code without a second thought." Bad code pollutes the internet. There's nothing wrong with continuing an answer in a direction further than the original question intended, as long as the question itself is still answered. – David Jan 18 '12 at 15:07
  • @David: there is no question it is important, and should definitely be mentioned, but -1 is for unuseful, incorrect, or misleading answers... not an answer that does not contain everything someone else would want to see in it. I am not pleased with the negative response I see from a well constructed answer that is informative, useful, and, in fact correct; so I will do my part to make sure this answer is not disregarded. – Jeremy Holovacs Jan 18 '12 at 15:13
  • @JeremyHolovacs: I appreciate it. Feel free to discuss further in chat (this comment thread is getting a bit noisy and we should probably delete it), as well as on Meta. My personal stance is that voting is highly subjective and both you and he have the right to cast the votes you cast. (In fact, he has since rescinded his down-vote after the answer was improved. So his vote served only to improve the content.) Users expect good answers (and good code) from Stack Overflow. A high-rep user providing bad code is, in my opinion, misleading. – David Jan 18 '12 at 15:18
  • 1
    as a matter of fact, you *cannot* avoid building SQL strings directly in code even when using PHP Data Objects ;) – Your Common Sense Jan 18 '12 at 15:35
  • thanks to all, contributions from all of you people have helped me a lot, was a nice experience putting my question here ..thanks again to all answering me .. – Zaffar Saffee Jan 18 '12 at 19:35
2

This should work fine when using double quotes for your sql statement $sql= "SELECT ..."

WHERE word_id='$wid'

Also add mysql_real_escape_string() to user input variables to avoid SQL Injections:

$wid = mysql_real_escape_string($_POST['id']);
Fabian
  • 3,465
  • 4
  • 34
  • 42
  • Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in D:\wamp\www\demo\login\card.php on line 25 is the new error, while i used code provided by you @Fabian.. and line 25 holds while($row = mysql_fetch_array($result)) – Zaffar Saffee Jan 18 '12 at 14:26
  • -1 the problem was with the quotes. +1 for the `mysql_real_escape_string()`... that's a wash. ;) – Jeremy Holovacs Jan 18 '12 at 14:26
  • $sql = "SELECT url_imgsrch FROM p_url_imgsrch where word_id = '$wid' ORDER BY RAND() LIMIT 5"; – Fabian Jan 18 '12 at 14:27
  • @Jeremy right, i missed the single quotes in the question. edited it.. +1 for your answer! – Fabian Jan 18 '12 at 14:28
1

try this:

$wid = mysql_real_escape_string($wid);
$sql = "SELECT url_imgsrch FROM p_url_imgsrch where word_id = '$wid' ORDER BY RAND() LIMIT 5";

You were improperly using quotes. If you are going to use quotes on column names, use the backtick, not the single quote.

Jeremy Holovacs
  • 22,480
  • 33
  • 117
  • 254
-1

As others have mentioned you aren't using quotes correctly if you use 'single quotes' you'd have to concatenate the strings as so: 

'string ' . $var

the single quotes mean that everything within is regarded as a literal string where almost nothing has to be escaped (except for single quotes of course). Inside "double quotes" you you have to escape special characters, also you are allowed to use variable names without the need to append the variable to the string yourself: 

"string $var"

for instance will work fine... See the PHP documentation for more info

You're code is susceptible to SQL-Injection. You can see some answers on how to fix it here. You can use the mysql_real_escape_string() to escape certain control characters as mentioned, but it is not failsafe. Example taken from Polynomial on the Link before:

SELECT * FROM users WHERE score = $var
//is still vulnerable to
$var = "1 OR 1 = 1"

I would recommend you use prepared statements if you consider to use it online.

EDIT:

Changed example.

added Links

Community
  • 1
  • 1
SanBen
  • 2,581
  • 26
  • 35