help i'm new to mySQL

Kamil wrote:

i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down
and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

TIA
~ K.R

It needs to be in quotes.

Steve

.oO(Kamil)

i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down
and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");
Some things:

1) Do a google for "PHP SQL injection" and then never use form-submitted
data directly in a query again, you're risking your db and server!

SQL Injection
http://www.php.net/manual/en/securit...-injection.php

2) The username is a string, it has to be single-quoted in the query.

The missing quotes are what causes error, because MySQL treats the
submitted username as a column name instead of a value.
i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

The error is caused by MySQL, not PHP. Have a look at (or better
download) the MySQL manual.

10.1.1 Strings
http://dev.mysql.com/doc/mysql/en/String_syntax.html

10.2 Database, Table, Index, Column, and Alias Names
http://dev.mysql.com/doc/mysql/en/Legal_names.html

HTH
Micha

"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Vv******************@tornado.tampabay.rr.com. ..

i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

$sql = sprintf("SELECT * FROM %s WHERE name = '%s'",
$dbname, $_POST[user]);

echo $sql;
$result = mysql_query($sql);
if(! $result || mysql_error() || mysql_num_rows($result) < 1)
{
echo "Unable to find records [$sql] : " . mysql_error() . "<br>\n";
}

*** Kamil escribió/wrote (Sat, 02 Oct 2004 06:02:29 GMT):

"SELECT * FROM <DBname> WHERE name = $_POST[user]"

What I've found to be wrong:

1) FROM clause needs a table name, not a database name
2) Strings in SQL must be quoted (single quotes)
3) You must escape single quotes within strings to avoid SQL injection and syntax errors
4) Associative arrays use a string as an index, not a constant
It shold be:

"SELECT * FROM table_name WHERE name='" . mysql_escape_string($_POST['user']) . "'"

--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--

.oO(Alvaro G. Vicario)

*** Kamil escribió/wrote (Sat, 02 Oct 2004 06:02:29 GMT):

"SELECT * FROM <DBname> WHERE name = $_POST[user]"

What I've found to be wrong:

[...]
4) Associative arrays use a string as an index, not a constant

The above is correct (simple) PHP syntax. Quoting the index there would
cause a parse error. When using complex (curly) syntax or accessing the
array outside a string then you're right.

Micha

"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Vv******************@tornado.tampabay.rr.com. ..

i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

TIA
~ K.R

thanks for all the help i looked up all those sites an dlearned a thing or
two but it still didnt help me... i know about the risk to th server and DB
but i'm not worried, noone knows about this DB and i'm not plnin to use it
anywhere its just for my own practice. I'm still having problems but i think
i DID make some progress heres whats going on now...

what I did to test what is going on is I put my query string in an echo
satement and the literal string that comes out that is used in the query is
this:

SELECT * FROM `table` WHERE `name` = "<user>" LIMIT 1

i copied and pasted this exact string into PHPMyAdmin and replaced <user>
with a real user name in my table and it did pull the record, but now my PHP
gives this error:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused

I noticed that Message-ID:
<Bm*******************@tornado.tampabay.rr.com> from Kamil contained the
following:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused

Er..you don't show us that bit of code...
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Bm*******************@tornado.tampabay.rr.com ...

"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Vv******************@tornado.tampabay.rr.com. ..

i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string

down

and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or
manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

TIA
~ K.R

thanks for all the help i looked up all those sites an dlearned a thing or
two but it still didnt help me... i know about the risk to th server and
DB
but i'm not worried, noone knows about this DB and i'm not plnin to use it
anywhere its just for my own practice. I'm still having problems but i
think
i DID make some progress heres whats going on now...

what I did to test what is going on is I put my query string in an echo
satement and the literal string that comes out that is used in the query
is
this:

SELECT * FROM `table` WHERE `name` = "<user>" LIMIT 1

i copied and pasted this exact string into PHPMyAdmin and replaced <user>
with a real user name in my table and it did pull the record, but now my
PHP
gives this error:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused

The message means what it says. The manual tells you what parameters the
mysql_query() function requires, and you have obviously gone and given it
something which is completely different. I suggest you learn to read.

--
Tony Marston

http://www.tonymarston.net