Home/ Questions/Q 8204211
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T07:49:44+00:00

I believe I have a simple syntax problem in my SQL statement. If I

  • 0

I believe I have a simple syntax problem in my SQL statement. If I run this code, I get an error in the database query. 

$user = $_GET['linevar'];
echo $user;  // testing - url variable echos correctly
$sql = "SELECT * FROM `userAccounts` WHERE `name` = $user";
$result = mysql_query($sql) or die("Error in db query");

If I replace $user in the $sql string with 'actualName' or a known record in my table, the code works fine. Am I using the $ variable incorrectly in the SQL string?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to surround the value that you’re getting from $user with quotes, since it’s probably not a number:

    $sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";

    Just as a note, you should also read up on SQL injection, since this code is susceptible to it. A fix would be to pass it through mysql_real_escape_string():

    $user = mysql_real_escape_string( $_GET['linevar']);

    You can also replace your or die(); logic with something a bit more informative to get an error message when something bad happens, like:

    or die("Error in db query" . mysql_error());
    • 0