simple php variable question

Hope someone can help me

I have declared the variable

 <?php $sitename = "http://" .$_SERVER["SERVER_NAME"]; ?>

and would like to use the variable in a mysql 开发者_如何学Goquery:

$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = "echo $sitename" AND g_page_url = '/index.asp'";

How do I do the "echo $sitename" part? thanks

$sitename = "http://" .$_SERVER["SERVER_NAME"];
$sitename = mysql_real_escape_string($sitename);
$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = '" . $sitename . "' AND g_page_url = '/index.asp'";

$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = '". mysql_real_escape_string($sitename) . "' AND g_page_url = '/index.asp'";

Two things to pull away from this:

1. You don't want to echo a variable "into" a sql query, this just doesn't make sense. You want to concatonate the variable with the rest of the string with the "." operator.

2. You ALWAYS want to sanitize your input when inserting something into a database. In this case you want to escape your string to prevent SQL injections.

$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = '".$sitename."' AND g_page_url = '/index.asp'";

$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = $sitename AND g_page_url = '/index.asp'";