$_SESSION variable in mysql query?
Whenever I try a query like:
mysql_query("SELECT * FROM data WHERE `user`=$_SESSION['valid_user'] LIMIT 1");
it doesn't work. Why? I escaped the variable, then tried it without, and tried putting quotes around the variable. I know i can do:
$user = $_SESSION['valid_user'];
but shouldn't it work without? Thanks.
THE ANSWER:
PHP can't recognize $_SESSION['valid开发者_JS百科_user'] due to the single quotes. So either use curly braces {} or take our the single quotes.
Thanks for helping me everyone.
PHP can't recognise variables inside a string that have square brackets and so on, you have to wrap it in curly brackets to get it to recognise it.
mysql_query("SELECT * FROM data WHERE user={$_SESSION['valid_user']} LIMIT 1");
However - You should always escape any data going into a SQL query, try the example below.
$validUser = mysql_real_escape_string($_SESSION['valid_user']);
mysql_query("SELECT * FROM data WHERE user='$validUser' LIMIT 1");
Arrays/objects must be included in strings slightly differently:
mysql_query("SELECT * FROM data WHERE `user`={$_SESSION['valid_user']} LIMIT 1");
or, you can drop out of the string and concatenate it in:
mysql_query("SELECT * FROM data WHERE `user`=" . $_SESSION['valid_user'] . " LIMIT 1");
Same but with PDO and bound parameters
$stmt = $pdo->prepare('SELECT * FROM data WHERE `user`=:user LIMIT 1');
$stmt->execute(array(':user'=>$_SESSION['valid_user']));
$row = $stmt->fetch();
Note: you can't make LIMIT 1 into a bound parameter because LIMIT is not part of the standard sql and PDO has issues with it, so it has to be bound like this
$stmt = $pdo->prepare('SELECT * FROM data WHERE `user`=:user LIMIT :limit');
$limit = 1;
$user = $_SESSION['valid_user'];
$stmt->bindParam(':user', $user, PDO::PARAM_STR);
$stmt->bindParam(':limit', $limit, PDO::PARAM_INT);
$stmt->execute();
$row = $stmt->fetch();
or like this
$limit = 1;
$stmt = $pdo->prepare('SELECT * FROM data WHERE `user`=:user LIMIT '.(int)$limit);
$stmt->execute(array(':user'=>$_SESSION['valid_user']));
$row = $stmt->fetch();
this is the way that I was taught to do it, so I wanted to point it out
try this:
mysql_query("SELECT * FROM data WHERE `user`={$_SESSION['valid_user']} LIMIT 1");
also remember to put session_start
on the top of the page
your array is in this context just part of a string and nothing else. To mark an expression as what it is you have to embrace it curly ;-) works only with double quoted strings, though.
mysql_query("SELECT * FROM data WHERE user={$_SESSION['valid_user']} LIMIT 1");
You need to use the string concatenation operator '.'
before and after the variable.
mysql_query("SELECT * FROM data WHERE `user`=".$_SESSION['valid_user']." LIMIT 1");
Since you are using a double quoted string, you can also use {}
around the variable instead of string concatenation:
mysql_query("SELECT * FROM data WHERE `user`={$_SESSION['valid_user']} LIMIT 1");
By the way, you probably should look into the mysqli
(http://php.net/manual/en/book.mysqli.php) library, and be using mysqli::real_escape_string
(http://www.php.net/manual/en/mysqli.real-escape-string.php) to ensure that any non-literal variable values are properly escaped.
精彩评论