question about passing field name in sql statement as variable.

On 30 Aug 2006 14:14:27 -0700, "nephish" <ne*****@gmail.comwrote:

>can anyone tell me if this is legal php/mysql ?

Did you try running it?

>i am trying to write a simple function to get a single stat from a
single table.

$field = 'phone_number';
$customer = 'fred';

$query = mysql_query("SELECT `'{$field}'` FROM `customers` WHERE `name`
= '{$fred}' ");
// note the back quotes around $field

The single quotes inside the back quotes will break it.

>or is this an accident waiting to happen ?

Probably, yes; depends where the data from the $field and $customer variables
comes from.
--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

Andy Hassall wrote:

On 30 Aug 2006 14:14:27 -0700, "nephish" <ne*****@gmail.comwrote:

can anyone tell me if this is legal php/mysql ?

Did you try running it?

i am trying to write a simple function to get a single stat from a
single table.

$field = 'phone_number';
$customer = 'fred';

$query = mysql_query("SELECT `'{$field}'` FROM `customers` WHERE `name`
= '{$fred}' ");
// note the back quotes around $field

The single quotes inside the back quotes will break it.

or is this an accident waiting to happen ?

Probably, yes; depends where the data from the $field and $customer variables
comes from.
--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

thanks for the quick reply,

Did you try running it?

yep, didn't work. i think the quotes did broke it it too. I got this:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL
result resource in
yadda yadda.
Tried it without the quotes and got a blank page.
i dont get that because i know the values are there.
so, will go ahead and make the individual queries.

thanks for your time.
sk

nephish wrote:

Andy Hassall wrote:

>>On 30 Aug 2006 14:14:27 -0700, "nephish" <ne*****@gmail.comwrote:

>>>can anyone tell me if this is legal php/mysql ?

Did you try running it?

>>>i am trying to write a simple function to get a single stat from a
single table.

$field = 'phone_number';
$customer = 'fred';

$query = mysql_query("SELECT `'{$field}'` FROM `customers` WHERE `name`
= '{$fred}' ");
// note the back quotes around $field

The single quotes inside the back quotes will break it.

>>>or is this an accident waiting to happen ?

Probably, yes; depends where the data from the $field and $customer variables
comes from.
--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

thanks for the quick reply,

>Did you try running it?

yep, didn't work. i think the quotes did broke it it too. I got this:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL
result resource in
yadda yadda.
Tried it without the quotes and got a blank page.
i dont get that because i know the values are there.
so, will go ahead and make the individual queries.

thanks for your time.
sk

What does mysql_error() say when it fails?

ALWAYS check the results from a mysql call. In the case of mysql_query,
a return of false indicates an error in the query.

Try echoing the sql string before executing it - see if it's what you
think it is.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jerry Stuckle wrote:

nephish wrote:

Andy Hassall wrote:

>On 30 Aug 2006 14:14:27 -0700, "nephish" <ne*****@gmail.comwrote:
can anyone tell me if this is legal php/mysql ?

Did you try running it?
i am trying to write a simple function to get a single stat from a
single table.

$field = 'phone_number';
$customer = 'fred';

$query = mysql_query("SELECT `'{$field}'` FROM `customers` WHERE `name`
= '{$fred}' ");
// note the back quotes around $field

The single quotes inside the back quotes will break it.
or is this an accident waiting to happen ?

Probably, yes; depends where the data from the $field and $customer variables
comes from.
--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

thanks for the quick reply,

Did you try running it?

yep, didn't work. i think the quotes did broke it it too. I got this:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL
result resource in
yadda yadda.
Tried it without the quotes and got a blank page.
i dont get that because i know the values are there.
so, will go ahead and make the individual queries.

thanks for your time.
sk

What does mysql_error() say when it fails?

ALWAYS check the results from a mysql call. In the case of mysql_query,
a return of false indicates an error in the query.

Try echoing the sql string before executing it - see if it's what you
think it is.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

wow, echo the query string. in a year of learning / using php and mysql
i swear i have never thought of that. Good result too. It wasn't
exactly what i thought. There was an extra space in the customer name.
thanks.

nephish wrote:

wow, echo the query string. in a year of learning / using php and mysql
i swear i have never thought of that. Good result too. It wasn't
exactly what i thought. There was an extra space in the customer name.
thanks.

Yep, echoing what you are really sending to the database can save you
hours of pain...
You might also want to look at doing your SQL transactions this way (
http://au3.php.net/manual/en/functio...li-prepare.php ) it tends to
lead to more maintainable code and other advantages (for example is you
use prepared statements with Oracle (PHP 5.1-PDO version-
http://au3.php.net/manual/en/function.pdo-prepare.php ) they will be
optimised more readily by Oracle than straight text queries (I'm not
sure if this advantage is true for MySQL but it may be.)) I tend to do
this the OO way but there is no problem doing it procedurally way
either.

Hope this is some use to you...