CODEWITHSUNDEEP
phpmysql
user2522177
user2522177

Reputation: 47

MYSQL statement not echoing correctly

I have the following sql statement..

$sql = "select tableid, comment, ID, description from reservations 
        where uniqueid = '" . $reservationid . "'";

$reservationid is passed via a POST form. A very similar statement with different fields selected seems to work fine on another page. But when i echo the sql statement on the page i get

select tableid, comment, ID, description 
from reservations 
where uniqueid = '51e5f949c1828'

It seems to skip the final single quote

I've also tried

$sql = "select tableid, comment, ID, description from reservations 
        where uniqueid = '$reservationid'";

with the same result. If i view the page source, i can't understand why i see this..

select tableid, comment, ID, description from reservations 
where uniqueid = '51e5f949c1828</form

where on earth is that stray </form> part coming from?

Upvotes: 0

Views: 68

Answers (5)

Sylvain Leroux
Sylvain Leroux

Reputation: 51990

But when i echo the sql statement on the page i get

select tableid, comment, ID, description from reservations where uniqueid = <'51e5f949c1828

If you "echo" to your browser window, there is great chances that the browser silently removed </form> from the display. My bet is if you look at the source code of your page while displaying the query, you will see ... where uniqueid = '51e5f949c1828</form> as well.

As you sure $reservationid contain what you expect?

Could you please show some more code. Like your html form? There is probably malformed html and/or unclosed quotes somewhere there.

BTW, you should never directly inject a variable from an untrusted source in your query. This leads to SQL injection.

Upvotes: 1

echo_Me
echo_Me

Reputation: 37233

you can also do your query like that

$sql = "select tableid, comment, ID, description 
       from reservations where uniqueid = '$reservationid'";

or simply

$sql = "select tableid, comment, ID, description 
        from reservations where uniqueid = $reservationid ";

Upvotes: 0

kumaheiyama
kumaheiyama

Reputation: 772

It seems you have some error in your form. The data sent is finished incorrectly and therefor a part of the form html is sent with it. Can't really tell without you posting how you send the data. You will have to correct this to get the code to work.

There's nothing wrong with the PHP you've submitted, however it's an easy target of SQL injection attacks etc. So it's better to go with using for instance sprintf. http://php.net/manual/en/function.sprintf.php

Upvotes: 1

Jacob Goulden
Jacob Goulden

Reputation: 371

I think you have your single and double quotes mixed up.

$sql = "select tableid, comment, ID, description from reservations where uniqueid = "' . $reservationid . '"";

Upvotes: 0

Vlad Lyga
Vlad Lyga

Reputation: 1143

Use sprintf() - it's the better way for this kind of things like combining strings.

Upvotes: 0

Related Questions