Alex Parser Alex Parser - 3 months ago 6
PHP Question

PHP - Trouble with SQL query

I have this query:

SELECT * FROM items WHERE itemcategory= 123 AND itemname LIKE '%abc%';


I want to pass parameters to
itemcategory
and
itemname
; I tried something like this:

SELECT * FROM items WHERE itemcategory=".'$categoryid'." AND itemname LIKE" ."'%$itemname%'"." AND shopid=5003;


It didn't work. Can anyone help?

Answer

What you are doing is nearly right, but you can de complicate the string concatenation, if you remember that $var is automatically expanded in a double quoted string

So this is easier to read and notice spacing issues, which is all I think that was wrong with your statement

$q =   "SELECT * 
        FROM items 
        WHERE itemcategory = '$categoryid' 
          AND itemname LIKE '%$itemname%'
          AND shopid=5003";

Assuming you have valid data in these variables this should work

The only danger with doing this rather than using prepared parameterised queries is that you risk SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared statement and parameterized statements