5 replies to this topic

[bbqroast]

This query returns

Quote

Unknown column 'bbqroast' in 'where clause'

(if $username is set to bbqroast)

SELECT * FROM users WHERE Username = $username

[nomaden]

Quotes should be added around $username variable

SELECT *  FROM users WHERE Username = '$username'

[Alexander]

Yes, you should include quotes over any string value such as a date or username. No quotes are only for tables and numeric values, such as their numeric user ID or a UNIX date.

[bbqroast]

Thanks..
I have used this method before with no quotes and that was ok- i avoid quotes cause they have caused me LOTS of trouble before.

[Vladimir]

Don't forget to escape $username with mysql_real_escape_string to prevent SQL injections: PHP: SQL Injection - Manual

If you are using PHP 5, then you can use this:

$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');

$stmt = $mysqli->prepare("SELECT * FROM users WHERE Username = ?")

$stmt->bind_param('s', $username);

$stmt->execute();

or some Database Access Layer that will further simplify your code, for example, with Zend_Db above code will look like:

$db = Zend_Db::factory('Pdo_Mysql', $parameters);

$result = $db->fetchOne('SELECT * FROM users WHERE Username = ?', $username);

[Orjan]

with MySQL, you should use aphostrophes, it's needed for strings, but good also for numbers, as it helps a little against SQL injection as well.