PHP string variable in WHERE clause MySQL

Question

I am having a problem with this simple sql query:

<?php 
require_once('../../Connections/tohoshows.php'); 

$show ='gothaf';

mysql_select_db($database_tohoshows, $tohoshows);
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
$getShows = mysql_query($query_getShows, $tohoshows) or die(mysql_error());
$row_getShows = mysql_fetch_assoc($getShows);
$totalRows_getShows = mysql_num_rows($getShows);

mysql_free_result($getShows);
?>

When I use the string directly in the WHERE clause like this

 $query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='gothaf'";

I get a result. When I use the variable instead, I get no data! I am a novice and I can't figure out what am I doing wrong. Any help would be appreciated. Thank you!

[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. — Kermit, Mar 28 '13 at 14:39

score 20 · Accepted Answer · edited May 23 '17 at 10:30

20

you getting no date because you have extra space betwee the quotes,

$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
                                                                    ^ HERE      ^

which will then be parsed into

SELECT * FROM toho_shows WHERE toho_shows.show =' gothaf '

remove it and it will work

$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='". $show. "'";

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

How to prevent SQL injection in PHP?

edited May 23 '17 at 10:30

Community

1
1

answered Mar 28 '13 at 14:30

John Woo

249,283
65
481
481

Thank you for your answer! I have also tried with no spaces in between, but I still get no data. – Akis Wma Asimakopoulos Mar 28 '13 at 14:33
post the result of this `echo $query_getShows;` – John Woo Mar 28 '13 at 14:34
You shouldn't even consider using this approach anyway, @Akis, it's really easy to use prepared statements and yet it is system critical. – Jonast92 Mar 28 '13 at 14:35
This what I get from the echo $query_getShows; `SELECT * FROM toho_shows WHERE toho_shows.show ='gothaf'` though I still get no data when I test the SQL statement in Dreamweaver. – Akis Wma Asimakopoulos Mar 28 '13 at 14:44
Is there anything in that table that matches that? – Jonast92 Mar 28 '13 at 14:50
1

OK guys! This thing actually works, I don't know why dreamweaver doesn't return any data on the sql statement test! Thanks everybody! @Jonast92 I will consider the prepared statements as you said! Thanks! – Akis Wma Asimakopoulos Mar 28 '13 at 15:00
Thank you so much, – digitalsuite.net Jan 31 '18 at 06:00

PHP string variable in WHERE clause MySQL

1 Answers1

Linked