By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,714 Members | 1,299 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,714 IT Pros & Developers. It's quick & easy.

help i'm new to mySQL

P: n/a
i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down
and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

TIA
~ K.R


Jul 17 '05 #1
Share this Question
Share on Google+
8 Replies


P: n/a
Kamil wrote:
i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down
and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

TIA
~ K.R

It needs to be in quotes.

Steve
Jul 17 '05 #2

P: n/a
.oO(Kamil)
i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down
and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");
Some things:

1) Do a google for "PHP SQL injection" and then never use form-submitted
data directly in a query again, you're risking your db and server!

SQL Injection
http://www.php.net/manual/en/securit...-injection.php

2) The username is a string, it has to be single-quoted in the query.

The missing quotes are what causes error, because MySQL treats the
submitted username as a column name instead of a value.
i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there


The error is caused by MySQL, not PHP. Have a look at (or better
download) the MySQL manual.

10.1.1 Strings
http://dev.mysql.com/doc/mysql/en/String_syntax.html

10.2 Database, Table, Index, Column, and Alias Names
http://dev.mysql.com/doc/mysql/en/Legal_names.html

HTH
Micha
Jul 17 '05 #3

P: n/a
"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Vv******************@tornado.tampabay.rr.com. ..
i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'


$sql = sprintf("SELECT * FROM %s WHERE name = '%s'",
$dbname, $_POST[user]);

echo $sql;
$result = mysql_query($sql);
if(! $result || mysql_error() || mysql_num_rows($result) < 1)
{
echo "Unable to find records [$sql] : " . mysql_error() . "<br>\n";
}
Jul 17 '05 #4

P: n/a
*** Kamil escribió/wrote (Sat, 02 Oct 2004 06:02:29 GMT):
"SELECT * FROM <DBname> WHERE name = $_POST[user]"


What I've found to be wrong:

1) FROM clause needs a table name, not a database name
2) Strings in SQL must be quoted (single quotes)
3) You must escape single quotes within strings to avoid SQL injection and syntax errors
4) Associative arrays use a string as an index, not a constant
It shold be:

"SELECT * FROM table_name WHERE name='" . mysql_escape_string($_POST['user']) . "'"

--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--
Jul 17 '05 #5

P: n/a
.oO(Alvaro G. Vicario)
*** Kamil escribió/wrote (Sat, 02 Oct 2004 06:02:29 GMT):
"SELECT * FROM <DBname> WHERE name = $_POST[user]"


What I've found to be wrong:

[...]
4) Associative arrays use a string as an index, not a constant


The above is correct (simple) PHP syntax. Quoting the index there would
cause a parse error. When using complex (curly) syntax or accessing the
array outside a string then you're right.

Micha
Jul 17 '05 #6

P: n/a

"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Vv******************@tornado.tampabay.rr.com. ..
i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

TIA
~ K.R


thanks for all the help i looked up all those sites an dlearned a thing or
two but it still didnt help me... i know about the risk to th server and DB
but i'm not worried, noone knows about this DB and i'm not plnin to use it
anywhere its just for my own practice. I'm still having problems but i think
i DID make some progress heres whats going on now...

what I did to test what is going on is I put my query string in an echo
satement and the literal string that comes out that is used in the query is
this:

SELECT * FROM `table` WHERE `name` = "<user>" LIMIT 1

i copied and pasted this exact string into PHPMyAdmin and replaced <user>
with a real user name in my table and it did pull the record, but now my PHP
gives this error:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused
Jul 17 '05 #7

P: n/a
I noticed that Message-ID:
<Bm*******************@tornado.tampabay.rr.com> from Kamil contained the
following:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused


Er..you don't show us that bit of code...
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Jul 17 '05 #8

P: n/a

"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Bm*******************@tornado.tampabay.rr.com ...

"Kamil" <oz******@tampabay.rr.com> wrote in message
news:Vv******************@tornado.tampabay.rr.com. ..
i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string

down
and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or
manual
on this sort of thing. i treid php.net but they have mostly different
functions i couldnt find this one there

TIA
~ K.R


thanks for all the help i looked up all those sites an dlearned a thing or
two but it still didnt help me... i know about the risk to th server and
DB
but i'm not worried, noone knows about this DB and i'm not plnin to use it
anywhere its just for my own practice. I'm still having problems but i
think
i DID make some progress heres whats going on now...

what I did to test what is going on is I put my query string in an echo
satement and the literal string that comes out that is used in the query
is
this:

SELECT * FROM `table` WHERE `name` = "<user>" LIMIT 1

i copied and pasted this exact string into PHPMyAdmin and replaced <user>
with a real user name in my table and it did pull the record, but now my
PHP
gives this error:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused


The message means what it says. The manual tells you what parameters the
mysql_query() function requires, and you have obviously gone and given it
something which is completely different. I suggest you learn to read.

--
Tony Marston

http://www.tonymarston.net

Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.