Using variable in mysql_query WHERE statement not working

[sleepyw]

I've been baffled by this for 2 days now and cannot figure it out after exhaustive searches. I'd like to think I'm doing this correctly, but cannot get it to work.

 

I'm trying to use a variable within a query WHERE statement, and it shows 0 results. If I directly hardcode the text instead of using the variable, it works. The variable is pulling from a $_GET, and if I echo that variable, it is showing the correct text.

 

Here's my code:

$Domain = $_GET['Domain'];
$result = mysql_query(SELECT Code, Title, Domain, Status FROM tablename WHERE Domain="$Domain" ORDER BY Code');

If I swap out "$Domain" for direct text, like "ABC", it works. I have tried swapping out the quotes and single quotes throughout the statement, removing the quotes around $Domain, concatenating the statement separately....all yield erros or the same result.

 

And as stated, if I echo $Domain, it shows "ABC" (or whatever it's supposed to show), so i know it's pulling correctly from the $_GET.

 

Anyone know what I'm doing wrong?

[gristoi]

ok, to start your query is missing a single quote:

 

try

$Domain = $_GET['Domain'];
$result = mysql_query("SELECT `Code`, `Title`, `Domain`, `Status` FROM `tablename` WHERE `Domain`='{$Domain}' ORDER BY `Code`");

also make sure $Domain is sanitized and actually exists. You should never pass raw input into a query

[sleepyw]

I appear to have found the issue from some outside help....swapping the quotes again (single/double quotes) seemed to work when I tried it again. Previously it gave me errors.

 

@gristoi Yeah I saw the single quote, but that was my trascription error here, not in my actual code. $Domain had a result, as I tested it when echoing the data back to make sure something was actually there.

Edited August 22, 2014 by sleepyw

[Jacques1]

This all doesn't make a lot of sense.

 

First of all, never insert raw user input into a query string. This allows anybody to manipulate the query and fetch sensitive data or even take over your entire server. See SQL injection attacks. This very bug may also be the reason for the errors (whatever those are), because dropping some random PHP variable into a query typically breaks the SQL syntax.

 

Secondly, the mysql_* functions you're using are obsolete since more than 10 years and will be removed in one of the next PHP releases. Didn't you see the big red warnings in the PHP manual? Nowadays, we use PDO or MySQLi. I strongly recommend PDO. Both interfaces support prepared statements as a secure way of passing values from PHP to a query.

 

You're also missing a single quote at the beginning of the query string, and you cannot have embedded variables in a single-quoted query (but since this is wrong in any case, it doesn't really matter).

 

My suggestion would be: Throw away the code, learn PDO and start over. It makes little sense to repair code which was dead on arrival.