开发者

$_SESSION variable in mysql query?

Whenever I try a query like:

mysql_query("SELECT * FROM data WHERE `user`=$_SESSION['valid_user'] LIMIT 1");

it doesn't work. Why? I escaped the variable, then tried it without, and tried putting quotes around the variable. I know i can do:

$user = $_SESSION['valid_user'];

but shouldn't it work without? Thanks.

THE ANSWER:

PHP can't recognize $_SESSION['valid开发者_JS百科_user'] due to the single quotes. So either use curly braces {} or take our the single quotes.

Thanks for helping me everyone.


PHP can't recognise variables inside a string that have square brackets and so on, you have to wrap it in curly brackets to get it to recognise it.

mysql_query("SELECT * FROM data WHERE user={$_SESSION['valid_user']} LIMIT 1");

However - You should always escape any data going into a SQL query, try the example below.

$validUser = mysql_real_escape_string($_SESSION['valid_user']);
mysql_query("SELECT * FROM data WHERE user='$validUser' LIMIT 1");


Arrays/objects must be included in strings slightly differently:

mysql_query("SELECT * FROM data WHERE `user`={$_SESSION['valid_user']} LIMIT 1");

or, you can drop out of the string and concatenate it in:

mysql_query("SELECT * FROM data WHERE `user`=" . $_SESSION['valid_user'] . " LIMIT 1");


Same but with PDO and bound parameters

$stmt = $pdo->prepare('SELECT * FROM data WHERE `user`=:user LIMIT 1');
$stmt->execute(array(':user'=>$_SESSION['valid_user']));
$row = $stmt->fetch();

Note: you can't make LIMIT 1 into a bound parameter because LIMIT is not part of the standard sql and PDO has issues with it, so it has to be bound like this

$stmt = $pdo->prepare('SELECT * FROM data WHERE `user`=:user LIMIT :limit');
$limit = 1;
$user = $_SESSION['valid_user'];
$stmt->bindParam(':user', $user, PDO::PARAM_STR);
$stmt->bindParam(':limit', $limit, PDO::PARAM_INT);
$stmt->execute();
$row = $stmt->fetch();

or like this

$limit = 1;
$stmt = $pdo->prepare('SELECT * FROM data WHERE `user`=:user LIMIT '.(int)$limit);
$stmt->execute(array(':user'=>$_SESSION['valid_user']));
$row = $stmt->fetch();

this is the way that I was taught to do it, so I wanted to point it out


try this:

mysql_query("SELECT * FROM data WHERE `user`={$_SESSION['valid_user']} LIMIT 1");

also remember to put session_start on the top of the page


your array is in this context just part of a string and nothing else. To mark an expression as what it is you have to embrace it curly ;-) works only with double quoted strings, though.

mysql_query("SELECT * FROM data WHERE user={$_SESSION['valid_user']} LIMIT 1");


You need to use the string concatenation operator '.' before and after the variable.

mysql_query("SELECT * FROM data WHERE `user`=".$_SESSION['valid_user']." LIMIT 1");

Since you are using a double quoted string, you can also use {} around the variable instead of string concatenation:

mysql_query("SELECT * FROM data WHERE `user`={$_SESSION['valid_user']} LIMIT 1");

By the way, you probably should look into the mysqli (http://php.net/manual/en/book.mysqli.php) library, and be using mysqli::real_escape_string (http://www.php.net/manual/en/mysqli.real-escape-string.php) to ensure that any non-literal variable values are properly escaped.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜