Alex Parser Alex Parser - 2 months ago 3x
PHP Question

PHP - Trouble with SQL query

I have this query:

SELECT * FROM items WHERE itemcategory= 123 AND itemname LIKE '%abc%';

I want to pass parameters to
; I tried something like this:

SELECT * FROM items WHERE itemcategory=".'$categoryid'." AND itemname LIKE" ."'%$itemname%'"." AND shopid=5003;

It didn't work. Can anyone help?


What you are doing is nearly right, but you can de complicate the string concatenation, if you remember that $var is automatically expanded in a double quoted string

So this is easier to read and notice spacing issues, which is all I think that was wrong with your statement

$q =   "SELECT * 
        FROM items 
        WHERE itemcategory = '$categoryid' 
          AND itemname LIKE '%$itemname%'
          AND shopid=5003";

Assuming you have valid data in these variables this should work

The only danger with doing this rather than using prepared parameterised queries is that you risk SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared statement and parameterized statements