0

I am facing some problem with fetching data from SQL.

When I use the below statement, it is working fine 

$sql = 'SELECT `Name`, `Des`, `Url`, `about`, `date` FROM `data` where name = \'facebook\''; 
$retval = mysql_query( $sql, $conn );

When I use the same using a parameter name, I am facing some problem, the code I used is 

$name = $_GET['name'];
$sql = 'SELECT `Name`, `Des`, `Url`, `about`, `date` FROM `data` where name = \'$name''; 
$retval = mysql_query( $sql, $conn );

I also tried by concatenating name like \'facebook\'

$name1 = "\'".$name . " \'";  but it is also not working .
Improve this question
1
  • try name = $name instead Commented Feb 4, 2013 at 13:53

2 Answers 2

Reset to default
3

use Double quotes so you won't need any escaping of single quotes.

$sql = "SELECT  Name, Des, Url, about, date
        FROM    data 
        where   name = '$name'";

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Use Mysqli instead of Mysql.

Solution for your query :

$name = $_GET['name']; 
$sql = "SELECT Name, Des, Url, about, date FROM data where name = '".mysql_real_escape_string($name)."'";
$retval = mysql_query( $sql, $conn );
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.