Using Query String Variables in DB Query

[neridaj]

Hey people,

 

I'm trying to use a query string variable in a sql query but can't figure out how to make it work. I've tried escaping quotes, using double quotes and no quotes at all but nothing seems to work. Here is what I have:

 

/*

 

$pt = $_GET['pt'];

$rndtitle = 'select painting_title from paintings where painting_year =' . echo $pt . 'order by rand() limit 1;';

 

*/

 

Is there a better way to do this?

 

Thanks,

 

Jasn

[dbo]

 

$pt = $_GET['pt'];

$rndtitle = "select painting_title from paintings where painting_year =" . $pt . "order by rand() limit 1;";

 

 

But, be sure to clean your input ($pt) and use mysql_real_escape_string before sending it, or risk SQL injection!

[neridaj]

Thanks for the reply, but unfortunately it didn't work. I thought that would be the solution as well, as I had previously replaced the single quotes with doubles, but it doesn't work no matter which quotes you change. Thanks for the "SQL injection" heads up, I'm obviously still new to PHP/MySQL so I need to read up cleaning my  variable and mysql_real_escape_string().

 

Cheers,

 

Jason

[trq]

Do you want to post your actual code and a desciption of what didn't work actually means? Are you getting any errors? What?