neridaj Posted January 3, 2008 Share Posted January 3, 2008 Hey people, I'm trying to use a query string variable in a sql query but can't figure out how to make it work. I've tried escaping quotes, using double quotes and no quotes at all but nothing seems to work. Here is what I have: /* $pt = $_GET['pt']; $rndtitle = 'select painting_title from paintings where painting_year =' . echo $pt . 'order by rand() limit 1;'; */ Is there a better way to do this? Thanks, Jasn Quote Link to comment Share on other sites More sharing options...
dbo Posted January 3, 2008 Share Posted January 3, 2008 $pt = $_GET['pt']; $rndtitle = "select painting_title from paintings where painting_year =" . $pt . "order by rand() limit 1;"; But, be sure to clean your input ($pt) and use mysql_real_escape_string before sending it, or risk SQL injection! Quote Link to comment Share on other sites More sharing options...
neridaj Posted January 7, 2008 Author Share Posted January 7, 2008 Thanks for the reply, but unfortunately it didn't work. I thought that would be the solution as well, as I had previously replaced the single quotes with doubles, but it doesn't work no matter which quotes you change. Thanks for the "SQL injection" heads up, I'm obviously still new to PHP/MySQL so I need to read up cleaning my variable and mysql_real_escape_string(). Cheers, Jason Quote Link to comment Share on other sites More sharing options...
trq Posted January 7, 2008 Share Posted January 7, 2008 Do you want to post your actual code and a desciption of what didn't work actually means? Are you getting any errors? What? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.