#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2007
    Posts
    114
    Rep Power
    40

    How do you put php variables in a MySql string?


    Hello,

    I am getting an syntax error on this line of php code:

    PHP Code:
    $uql "UPDATE colleges SET latitude='"$g_demo->latitude"', longitude=1  WHERE institution_name='{$row["institution_name"]}' LIMIT 1";    $ues mysql_query($uql) or die("FAIL: $uql BECAUSE: " mysql_error()); 
    I think all the double quotes and single quotes are confusing me. any advice or can anyone tell me the correct syntax to get this to work?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    Sydney Australia
    Posts
    183
    Rep Power
    83
    Originally Posted by NewWEBdesigner
    Hello,

    I am getting an syntax error on this line of php code:

    PHP Code:
    $uql "UPDATE colleges SET latitude='"$g_demo->latitude"', longitude=1  WHERE institution_name='{$row["institution_name"]}' LIMIT 1";    $ues mysql_query($uql) or die("FAIL: $uql BECAUSE: " mysql_error()); 
    I think all the double quotes and single quotes are confusing me. any advice or can anyone tell me the correct syntax to get this to work?
    To do it like that you need the concat operator to join the string together
    PHP Code:
    $uql "UPDATE colleges SET latitude='" $g_demo->latitude "', longitude=1  WHERE institution_name='{$row["institution_name"]}' LIMIT 1";    $ues mysql_query($uql) or die("FAIL: $uql BECAUSE: " mysql_error()); 
  4. #3
  5. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,997
    Rep Power
    9397
    Another correct syntax is the one you use later on in that very same string.
    PHP Code:
    "...WHERE institution_name='{$row["institution_name"]}' LIMIT 1" 
  6. #4
  7. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,548
    Rep Power
    2337
    An even better answer is to use mysqli or PDO and prepared statements.

    Comments on this post

    • Jacques1 agrees : It's actually the only right answer. Thumbs up for actually looking at the code and not just explaining how strings work.
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    do not use this code, it's wide open to SQL injections. When you naively put values into the query string, anybody can manipulate the query and try to fetch your admin password, delete stuff or whatever.

    Do what ptr2void said. If you already use the obsolete "mysql" functions everywhere and cannot possibly switch now, you must escape every value with mysql_real_escape_string() and wrap it in quotes. That's the only way to prevent the input from being interpreted as SQL.

IMN logo majestic logo threadwatch logo seochat tools logo