Using PHP variable in SQL query

Question

I'm having some trouble using a variable declared in PHP with an SQL query. I have used the resources at How to include a PHP variable inside a MySQL insert statement but have had no luck with them. I realize this is prone to SQL injection and if someone wants to show me how to protect against that, I will gladly implement that. (I think by using mysql_real_escape_string but that may be deprecated?)

<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'hospital_name' AND value = '$q'";

$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
   echo $row['value'];
}
?>

I have tried switching '$q' with $q and that doesn't work. If I substitute the hospital name directly into the query, the SQL query and PHP output code works so I know that's not the problem unless for some reason it uses different logic with a variable when connecting to the database and executing the query.

Thank you in advance.

Edit: I'll go ahead and post more of my actual code instead of just the problem areas since unfortunately none of the answers provided have worked. I am trying to print out a "Case ID" that is the primary key tied to a patient. I am using a REDCap clinical database and their table structure is a little different than normal relational databases. My code is as follows:

<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'case_id' AND record in (SELECT distinct record FROM database.table WHERE field_name = 'hospital_name' AND value = '$q')";

$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
   echo $row['value'];
}
?>

I have tried substituting $q with '$q' and '".$q."' and none of those print out the case_id that I need. I also tried using the mysqli_stmt_* functions but they printed nothing but blank as well. Our server uses PHP version 5.3.3 if that is helpful.

Thanks again.

Answer 1

Do it like so

<?php
$q = 'mercy_west';
$query = "SELECT col1,col2,col3,col4 FROM database.table WHERE field_name = 'hospital_name' AND value = ?";
if($stmt = $db->query($query)){
  $stmt->bind_param("s",$q);   // s is for string, i for integer, number of these must match your ? marks in query. Then variable you're binding is the $q, Must match number of ? as well
  $stmt->execute();
  $stmt->bind_result($col1,$col2,$col3,$col4);  // Can initialize these above with $col1 = "", but these bind what you're selecting. If you select 5 times, must have 5 variables, and they go in in order. select id,name, bind_result($id,name)
  $stmt->store_result();
  while($stmt->fetch()){   // fetch the results
    echo $col1;
  }
  $stmt->close();
}

?>

Answer 2

Yes mysql_real_escape_string() is deprecated.

One solution, as hinted by answers like this one in that post you included a link to, is to use prepared statements. MySQLi and PDO both support binding parameters with prepared statements.

To continue using the mysqli_* functions, use:

• mysqli_prepare() to get a prepared statement
• mysqli_stmt_bind_param() to bind the parameter (eg for the WHERE condition value='$q' )
• mysqli_stmt_execute() to execute the statement

• mysqli_stmt_bind_result() to send the output to a variable.

   <?php $q = 'Hospital_Name'; $query = "SELECT value FROM database.table WHERE field_name = 'hospital_name' AND value = ?"; $statement = mysqli_prepare($conn, $query); //Bind parameter for $q; substituted for first ? in $query //first parameter: 's' -> string mysqli_stmt_bind_param($statement, 's', $q); //execute the statement mysqli_stmt_execute($statement); //bind an output variable mysqli_stmt_bind_result($stmt, $value); while ( mysqli_stmt_fetch($stmt)) { echo $value; //print the value from each returned row }

If you consider using PDO, look at bindparam() . You will need to determine the parameters for the PDO constructor but then can use it to get prepared statements with the prepare() method.