如何将PHP变量插入SQL查询中

Question

I have an SQL query

qry1 = 
"SELECT DISTINCT (forename + ' ' + surname) AS fullname
FROM users
ORDER BY fullname ASC";

This gets forename and surname from a table called users and concatenates them together, putting a space in the middle, and puts in ascending order.

I then put this into an array and loop through it to use in a select drop-down list.

This works, however, what I now want to do is compare the fullname with a column called username in another table called users.

I'm struggling with how to write the query though. So far I have...

$qry2 
"SELECT username 
FROM users 
WHERE (forename + ' ' + surname) AS fullname 
=" . $_POST['Visiting'];

Any advice on to what I am doing wrong?

Answer 1

Rather CONCAT the two columns together. Also remember to escape any variables before adding them to your query.

$qry2 =
"SELECT username AS fullname
FROM users 
WHERE CONCAT(forename, ' ', surname)
='" . mysqli_real_escape_string($connection, $_POST['Visiting']) . "'";

Where $connection is your current db connection

Answer 2

I'm not sure that the use of the declared word 'AS' after 'WHERE' is correct in principle.

if you use MySQL, query should look like this:

SELECT [columns]
FROM [tables] [AS declareTableName]
WHERE [condition]
GROUP BY [declares|columns]
SORT BY [declares|columns]

But, i think your problem not in the query. Concatenating names in the query is incorrect. You must separate string with names in Back-end and than use it in query:

$names = explode(' ', $_POST['Visiting']);

Answer 3

This might work, assuming you use PDO:

$qry2 = "SELECT username FROM users
      WHERE CONCAT(forename, ' ', surname) = '" . $conn->quote($_POST['Visiting']) . "'";

...but you should have a look at the possible vulnerabilities through SQL injections.

Without knowing which library you use for connecting to the MySQL database, it's impossible to give proper advise about which method you should use for escaping the user's input. quote is the PDO method for escaping, real-escape-string is the equivalent for MySQLi

Answer 4

You should really refer to using PDO. When using PDO you can bind parameters to specified parts of your query. PDO also has built-in SQL-injection prevention, which is a great security measure that you won't have to deal with yourself. I hope this answers your question. See my example below.

Example:

// Create a new PDO object holding the connection details
$pdo = new PDO('mysql:host=localhost;dbname=test', $user, $pass);

// Create a SQL query
$query = "SELECT username FROM users WHERE (forename + ' ' + surname) AS fullname = :visiting;";

// Prepare a PDO Statement with the query
$sth = $pdo->prepare($query);

// Create parameters to pass to the statement
$params = [
    ':visiting' => $_POST['Visiting']
]

// Execute the statement and pass the parameters
$sth->execute($params);

// Return all results
$results = $sth->fetchAll(PDO::FETCH_ASSOC);

If you have any other questions about PDO, please refer to the following:

Official PDO documentation:
http://php.net/manual/en/book.pdo.php

Documentation on how to bind variables:
http://php.net/manual/en/pdostatement.bindparam.php

Answer 5

You can use this construction (without "AS fullname" and with apostrophes around variable):

$qry2 "SELECT username FROM users WHERE (forename + ' ' + surname) = '" . $_POST['Visiting'] . "'";

But for better security (SQL injection) You should use the escaping of variable. For example this construction, if You use MySQL database:

$qry2 "SELECT username FROM users WHERE (forename + ' ' + surname) = '" . mysql_real_escape_string($_POST['Visiting']) . "'";