PHP and MYSQL - Querying A Variable

Ok, I have this PHP $_POST['username'] variable and I need to query everything on the user via MYSQL. The only problem is it keeps throwing me errors.

something like

$user = $_POST['username'];
$query = mysql_query("SELECT * FROM user WHERE username = $user");

I've trie开发者_StackOverflow中文版d

$query = mysql_query("SELECT * FROM user WHERE username = `$user`");
$query = mysql_query("SELECT * FROM user WHERE username = ".$user);

Not sure what i'm doing wrong.

Your problem is that strings in SQL need to be enclosed in single quotes.

The most preferable approach would be to use PDO. But sprintf (along with mysql_real_escape_string) is a better interim approach that what is posted:

$query = sprintf("SELECT u.* 
                    FROM USER u
                   WHERE u.username = '%s'",
                  mysql_real_escape_string($_POST['username']));

$result = mysql_query($query);

Lest we forget Little Bobby Tables ;)

$user = $_POST['username'];
$query = ('SELECT * FROM user WHERE username LIKE "' . $user . '"');

Use this:

$query = mysql_query("SELECT * FROM user WHERE username = '$user'");