查询适用于sql，而不适用于php

Question

I have this query I can run against my db and it works fine. However when I try it in the PHP version I get 0 results. I'm missing something fundamental, I just can't tell what it is.

Query

SELECT * 
FROM table_admin_20
WHERE column1 =  '0607'

PHP

$store_info_query = "SELECT * FROM '".$table_name."' WHERE 'column1' = '".$store_number."'";

if ($query_run = mysql_query($store_info_query)) {
    if (mysql_num_rows($query_run) == NULL) {
        $response["success"] = 0;          
        echo json_encode($response);
        echo 'nope';
    } else {
        while ($row = mysql_fetch_assoc($query_run)) {
            $store_info = $row['column1'];
            echo '1111111';
            echo $store_info;           
        }       
    } 
} else {
    echo 'fail';
    }

I know I have 0 protection against SQL injection, I'm merely trying to pull data, this is in no way live yet. Anyways, I get the 'fail' response each time. Thanks for any help.

Answer 1

Don't add security as an afterthought, just switch to PDO or mysqli and use prepared statements so that you don't have to worry about the values any more. In case of table- or column names, you would need to use white-lists though.

The cause of your problem is that you are quoting your table- and field names. If you need to escape them, use backticks:

$store_info_query = "SELECT * FROM `".$table_name."` WHERE `column1` = '".$store_number."'";

Answer 2

You've to replace ' with ` for the table and column names. ' is just for values. Try this:

$store_info_query = "SELECT * FROM `".$table_name."` WHERE `column1` = '".$store_number."'";

Please avoid using * and rethink your security-strategies. As already mentioned, take a look at PDO: http://php.net/manual/en/book.pdo.php

Answer 3

You are putting wrong quotes around table name and column name. Try this

$store_info_query = "SELECT * FROM `".$table_name."` WHERE `column1` = '".$store_number."'";