Multiple PHP Variables in SQL Query
Question
Im struggling to understand quotes in PHP Mainly when doing SQL Query's. I keep getting an error on this query.
SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = ".$dest."AND Hotels.ID =".$hotel;
I'm Trying to use two PHP variables in the query. Any help would be greatly appreciate.
4 answers
solution1
0 2013-12-10 17:36:25
Your query should be
$query = "SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = '$dest' AND Hotels.ID = '$hotel'";
Since you are using ID and if it is an integer field, it is not required to put quotes around ID value, you can also do
$query = "SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = $dest AND Hotels.ID = $hotel";
UPDATE:
You need to escape the query input. You can esacpe the user input using two methods. Using mysqli_real_escape_string or using prepared statements :
With mysqli_real_escape :
$dest = $mysqli->real_escape_string($dest);
$hotel = $mysqli->real_escape_string($hotel);
$stmt = "SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = '$dest' AND Hotels.ID = '$hotel'";
With Prepared statement :
$stmt = $mysqli->prepare("SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = ? AND Hotels.ID = ?");
/* Bind parameters. Types: s = string, i = integer, d = double, b = blob */
$stmt->bind_param("ii", $dest, $hotel);
solution2
0 2013-12-10 17:36:34
Try change last string to
WHERE Destinations.ID = '".$dest."' AND Hotels.ID ='".$hotel."'";
And always show sql errors. It is helpfull
solution3
0 2013-12-10 17:40:05
SQL (Most flavours, anyways) requires that strings be delimited by single-quotes. You have to build this into your query. Also, don't bother concatenating the variables as PHP is capable of finding variables inside strings.
solution4
0 2013-12-10 17:41:34
Do not build SQL queries that way. Use Prepared Statements instead. Its parameter bind avoids any issue related to the data-type, SQL injection attacks and any security stuff.
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.