I have two files in use. The first is a front end select box with a list of dynamically populated char/text values that uses POST to send the selected value to a back end file. This back end file assigns this value to a variable and that variable is then used in the following query:
$query = "SELECT DoctorName, Speciality FROM hospital WHERE HospitalName =".$hosname;
However, I keep getting the Invalid Query message I have set in my or die(); and I have no idea why. The full section of php code on the backend file is as follows:
$conn = mysqli_connect("localhost", "root", "") or die ("No connection");
mysqli_select_db($conn, "hospitaldb") or die("db will not open");
$hosname=$_POST['valuelist'];
$query = "SELECT DoctorName, Speciality FROM hospital WHERE HospitalName =".$hosname;
$result = mysqli_query($conn, $query) or die("Invalid query");
echo "<table border='1'><tr><th>mDoctorName</th><th>Speciality</th></tr>";
while($row = mysqli_fetch_array($result))
{
echo "<tr><td>" . $row[0] . "</td><td>" . $row[1] . "</td></tr>";
}
echo "</table>";
mysqli_close($conn);
Note: I have checked that the value from the select box is being passed in using print and it is. Any help would be greatly appreciated.
*I am only testing this locally but thanks to all who recommended mysql_real_escape_string() to protect against injections.*
The resulting SQL query you want would be something like;
In other words, you need to add quotes to your query creation;
You should really also escape the hospital name using mysql_real_escape_string() before just inserting it into a query.