$sql = "SELECT email FROM family WHERE family = '$family'";
$result = mysql_query($sqll)or die(mysql_error());
Is this the right way to get php variable into mysql query?
Asked
Active
Viewed 522 times
5 Answers
1
That could work. However, it's vulnerable to SQL injection.
This is safer:
$sql = sprintf("SELECT email FROM family WHERE family = '%s'",
mysql_real_escape_string($family));
$result = mysql_query($sql);
Sergio Tulentsev
- 219,187
- 42
- 361
- 354
0
The code has a type error
$sqll is not defined.it must be $result = mysql_query($sql).
I believe this is the reason you are looking for...(since the question is too vague which is probably because you got an error that you couldnt track)
rjv
- 5,499
- 4
- 28
- 48
-1
From my knowledge best way to use like this:
if $family is not string
$sql = "SELECT email FROM family WHERE family = ".$family;
if there is a string comparison then,
$sql = "SELECT email FROM family WHERE family = '".$family."'";
srbhbarot
- 1,307
- 12
- 16
-
Either case is seriously dangerous with out emphasizing sanitizing inputs. Really though the developer shouldn't have to worry about that, just put a ? in it's place and use bound parameters or PDO instead. – atxdba Jan 11 '12 at 05:20
-
@Mischa He is in confusion. He asked what is the right way so from my knowledge i just try to help him nothing else. – srbhbarot Jan 11 '12 at 05:27
-
@srbhbarot Although your intention is good, you're not addressing the problem with the solution. Your code looks vulnerable to SQL injections, which probably is the reason you got downvoted. – Repox Jan 11 '12 at 07:15
