:mad:I'm new to PHP and MySQL, and I've been having some terrible difficulty with setting a $query string that contains a variable in the WHERE clause. I understand this is a common problem, but after three days of searching, I didn't find any of the solutions to fit my same problem. After staring at the screen for several hours, I suddenly remembered something very important, which I'll get to. I just wanted to post all the things I've learned, so that people can benefit from my tortuous trial and error and relentless Googling... :mad:
$query = "SELECT `password` FROM `customers` WHERE `username` = '$userName'";
It doesn't work. First, (as a newbie) you start out trying to figure out if it's a syntax problem, but you've copied and pasted till your right CTRL key quits working. Then you start thinking, maybe there's something wrong with the connection, but you can't find one. You spend a couple of days searching and asking, and nobody's solution seems to work. You've tried escape characters, "." concatenation, interpolation, etc... I can't tell you how much I learned about PHP just searching for the solution to this problem. And you can't go far with databases until you fix it. Here are some of the solutions I found:
Setting the literal inside an "if()" statement-- be sure you didn't forget the "==" in "if($str=='some value')" instead of using "if($str='some value')". That is easy to forget for newbies and will trip you up.
Check the syntax of your SELECT statement and quotation. Make sure you're using interpolating, double quotes (") for the entire string and single quotes (') around the variable.
Make sure your variable is actually set... echo it right before or after the query string is set. Also, echo your query string to see what you're actually sending.
Ok, now to my solution. If you're getting back an empty string, you may not be setting the literal correctly, but there's one more thing to remember.. Let's see, where's the super big, giant font.
[FONT="Arial Black"]GLOBAL VARIABLES![/FONT]
Sorry, that was bigger than I expected, and completely unnecessary. But I'll keep it.
$str = stripslashes($_POST['username']);
$dbname = 'customersLogin';
global $str; /*DECLARE GLOBALS!!!*/
$query = "SELECT `password` FROM `customers` WHERE `username`=\"$str\"";
$result = mysql_query($query) or die('Error getting data');
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
setcookie($sessionName, $sessionID, $expiry);
echo "some HTML and a saying... blah blah blah";
if(isset($_POST['username']) && $_POST['username']!="" && isset($_POST['password']) && $_Post['password']!="")
Or simply give your function an argument and call the function with the variable enclosed-- getData($str);. Anyway, I hope this helps some poor soul of a newbie in the future from the problems I ran into. This just goes to show... Follow good practices whether they're necessary in your current language or not. Someday, they will be.
Veterans, please do let me know if I made a mistake here. I'm a newbie myself. Also, remember that I did not include an anti-injection techniques here, so learn that too! Hope I got all that right.
I'm such an idiot sometimes...