PHP4 - Help with SQL Statement

I need to know how to make the following statement work.
Here is the statement:

Where i am having issues is the 'Y' = %s in the code. The %s is a Field in my SQL database. It is putting quotations around it. How do i get take them out so that way the sql statement treats it like a field in the database.

Here is the echo of the statement

SELECT MaillingList.Switch, GROUP_CONCAT(MaillingList.Emailaddress) as Email FROM MaillingList WHERE MaillingList.Switch IN (SELECT MaillingList.Switch FROM MaillingList WHERE MaillingList.Vendor = 'Lucent' AND( MaillingList.Postion = 'DR' OR MaillingList.Postion = 'MS' OR MaillingList.Postion = 'MC' OR MaillingList.Postion = 'ST') AND 'Y' = 'BWM') GROUP BY MaillingList.Switch

What i market in red is where the issue is.
BWM is a field in my database and because of the quotes it doesn't work.

Try using backticks

When i do it that way I get a error

syntax error , unexpected '%'

any other ideas

Hi,

No idea what SecurityDavid was trying to do, but this doesn't work.

However, he's right about the backticks. You need to take the raw value(!), escape special characters and then wrap it in backticks. When you use your escape function, the value will always be wrapped in quotes -- which is not what you want.

But I find the whole idea rather odd and dangerous. You let the user choose any column he wants. That's a bad idea and points to a misdesign of either the application or the database.

And you should get used to indenting your queries. Those one-liners are completely unreadable and very error-prone.

So how would i do this.
I have a data base with email address in it.
the database has 15 fields
the user has 2 options
1st option is a variable in field 1
2nd option is the field that is looking for Y

SO with the data that i have on my first post how would i do this

Is that a convoluted version of this:

?

Incidentally, not that it matters, but neither 'mailling' nor 'postion' have any meaning in English, although I note that they are similar in spelling to the recognised English words 'mailing' and 'position'.

SELECT Switch,

GROUP_CONCAT(MaillingList.Emailaddress) as Email

FROM MaillingList

WHERE Switch IN (SELECT Switch

FROM MaillingList

WHERE Vendor = 'Lucent'

AND(Postion = 'DR' ORPostion = 'MS' OR Postion = 'MC' OR Postion = 'ST')

)

AND 'Y' = 'BWM'
GROUP
BY Switch

This is my sql statement. The BWM is a column name in my database that i am passing from another web page. The issue is that it has the single qoutes around it. I need to remove the qoutes so the sql query will work. How can i do this

The Code looks like this

Haven't I already answered this question?



"Escaping" in this context means: apply mysql_real_escape_string or an equivalent function and delete all backticks (since they aren't allowed within identifiers at all).

Sorry, I'm not really familiar with the use of the percent sign here. The answer was to make sure it was enclosed in backticks, which is correct; but I saw the %s as a variable, which I'm assuming is not correct. Can someone explain to me exactly what the % is used for here?

I got it to work,
This is the statement that i used


Thank you for all your Help

this is fixed