[SOLVED] PHP variables in SQL (noob question)

[Andy-H]

HI all,

 

I am a self taught PHP / MySQL programmer and I learned from trial and error (editing scripts) then went on to writing them. Anyway I wont give you my life story but the point I am getting at is when I make scripts I don't know why I am putting code their, I just know to do it.

 

I have just started a new project and I have been using PHP variables in queries as shown below:

 

$query_string = "SELECT `username` , `password` FROM `accounts` WHERE `loginname` = '".$user."' LIMIT 1";
$query = mysql_query($query_string)or die("Error: ".mysql_error()."<br /><br />In File: ".__FILE__."<br /><br />On Line: ".__LINE__);

 

I was just wondering is this really necessary as it is quite annoying to do to be honest.

 

If not what is the best way to do this?

 

Thankyou for all replies.

[DarkWater]

You can just do:

 

$query_string = "SELECT username, password FROM accounts WHERE loginname = $user";

[Andy-H]

And is that the best / safest way to do it?

[renwoshin]

probably should do $query_string = "SELECT username, password FROM accounts WHERE loginname = '$user'";  (need the single quotes around $user)

[DarkWater]

Woops, forgot the ' ' around the $name in the query (because it's a string, MySQL needs them).  Good catch. 

 

@Andy-H: I'd personally use sprintf() and make sure to escape all values.

[Andy-H]

Well earlier in the script I have the mysql_real_escape_string to all variables that are going into queries and in this case the login-name and password are encrypted using md5(); then the username is fetched from the database to start the session.

 

Also I am not familiar with the proper functionality of sprintf(); what does it do exactly.

 

Also thanks for the help guys