1

Good Day

I am using a program called Site Lock from Vibraloxig works great for what I need but have a question maybe someone can assist me.

The site allows me to draw certain information of the user using simple PHP echo commands

 <?php echo $slusername; ?>

Will echo the user name for me and so on. What I would like to do is use this to filter a query in msql tables this is my current code

 // Connect to server and select database.
 mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
 mysql_select_db("$db_name")or die("cannot select DB");
        $query = "SELECT * FROM members WHERE ussd_dealer = '<?php echo      
 $slcustom1; ?>' ";
 $result = mysql_query($query);
 echo " ".mysql_num_rows($result)." ";
 ?>

My table has the ussd_dealer and the custom1 i am calling works on the site but does not work in the query to filter the table for me. Not sure if I need to use "" instead of '' after the WHERE ussd_dealer = . Assistance would be greatly appreciated.

Maggie Ackermann
  • 243
  • 1
  • 3
  • 14

2 Answers2

0

You don't need to echo inside your string creation:

$query = "SELECT * FROM members WHERE ussd_dealer = '$slcustom1' ";

When you want to echo it to the HTML, you use the echo function, but when you simply want to use the value inside the variable - and you are in a PHP code structure, you can simply refer to it as it is.

Be aware though that this is terribly insecure.

You should read this question/wiki on what SQL injection is, and why doing what you are asking is opening a can of worms to have your site hosed.

Community
  • 1
  • 1
Fluffeh
  • 31,925
  • 16
  • 62
  • 77
0

you can use variable name directly in your query

$query = "SELECT * FROM members WHERE ussd_dealer = '{$slcustom1}' ";

SIDENOTE : use mysqli instead of mysql

ashishmaurya
  • 1,197
  • 8
  • 14
  • You won't get any results if you include the semi-colon INSIDE the quotes denoting your search string. – Fluffeh May 10 '14 at 13:25