dodgeitorelse3 Posted November 18, 2012 Share Posted November 18, 2012 ok so I am trying to learn to use $_POST. I have written a query with a where clause is using the $_POST but I keep getting query failed. I know the $_POST works as I can echo the value. Can anyone spot my error? $result = mysql_query("select * from lgsl where `comment'= ".$POST['comment']."") or die('Error, query failed'); Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/ Share on other sites More sharing options...
dannon Posted November 18, 2012 Share Posted November 18, 2012 `comment' Change ' to `. Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393389 Share on other sites More sharing options...
dodgeitorelse3 Posted November 18, 2012 Author Share Posted November 18, 2012 ty dannon, tried that and also added the missing underscore in $POST but still fails. Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393390 Share on other sites More sharing options...
Andy123 Posted November 18, 2012 Share Posted November 18, 2012 $result = mysql_query("select * from lgsl where comment = '" . $_POST['comment'] . "'") or die(mysql_error()); I removed the quotes around the "comment" column name because they are not necessary - and one of them was of the wrong type. I also added quotes around the POST value you are inserting because you will be searching for a string. I also corrected $POST to $_POST to use the superglobal array. If there is an error, it should now show this error because I added a function call within the die() call. You should also watch out for SQL injection. Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393391 Share on other sites More sharing options...
dannon Posted November 18, 2012 Share Posted November 18, 2012 $result = mysql_query("select * from lgsl where 'comment'= '".$_POST['comment']."'") try this Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393393 Share on other sites More sharing options...
dodgeitorelse3 Posted November 18, 2012 Author Share Posted November 18, 2012 ty guys, worked with $result = mysql_query("select * from lgsl where `comment`= '".$_POST['comment']."'") or die('Error, query failed'); now about the injection thing? Is it really something I need to worry about since I am the only one that has access to this file? Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393394 Share on other sites More sharing options...
dannon Posted November 18, 2012 Share Posted November 18, 2012 ty guys, worked with $result = mysql_query("select * from lgsl where `comment`= '".$_POST['comment']."'") or die('Error, query failed'); now about the injection thing? Is it really something I need to worry about since I am the only one that has access to this file? If you are the only one who is going to use it then no. But you should still learn how to prevent SQL Injections and stuff. Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393396 Share on other sites More sharing options...
dodgeitorelse3 Posted November 18, 2012 Author Share Posted November 18, 2012 ok dannon I will thank you very much Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393399 Share on other sites More sharing options...
AyKay47 Posted November 18, 2012 Share Posted November 18, 2012 Good practices should be exercised from the very beginning of learning how to code in a certain language. In this particular case, any data that comes from a user and is used in a query needs to be properly sanitized using mysql_real_escape_string to prevent SQL Injection as noted earlier. Link to comment https://forums.phpfreaks.com/topic/270866-failed-query/#findComment-1393402 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.