How to Write this Query Properly?

[glassfish]

The Query:

$query = "SELECT * FROM ttn01 WHERE id = $_GET['id']";

I am getting an error.

[Jacques1]

You can't just drop some PHP value into a query string, especially when that value comes from the user. This makes your application wide open to SQL injection attacks and all kinds of bugs.

 

Use prepared statements to properly pass values to the database system. Note that you'll need the PDO or the MySQLi extension. If you're still using the old mysql_* functions, it's time to switch.

[ginerjm]

if id is NOT an integer value you need to wrap the argument in single quotes and curly braces

[Jacques1]

if id is NOT an integer value you need to wrap the argument in single quotes and curly braces

 

So that he gets a nice SQL injection vulnerability? C'mon.

[glassfish]

Can you give me an example, please.

[ginerjm]

^{You need to do what Jacques1 indicated.  I merely told you one facet of writing a proper query statement, but he told you how to do things the proper way.  So roll up your sleeves and do some research!  Coders help those who help themselves.}

[Jacques1]

The blue underlined text snippets in my reply are actually links. Click on them and you'll get plenty of examples.

[cyberRobot]

If $_GET['id'] is supposed to be a number, you can modify the query as follows:

$query = "SELECT * FROM ttn01 WHERE id = {$_GET['id']}";

The curly brackets are needed when you include an array variable ($_GET['id']), which has quotes around the index, in a string.

 

As the others have suggested, you'll also want to take the necessary precautions to protect your query from injection attacks. If you're unable to use prepared statements and $_GET['id'] is supposed to be a number, you can run the variable through ctype_digit():

http://php.net/manual/en/function.ctype-digit.php

 

If $_GET['id'] contains anything other than a number, throw an error instead of running the query.