mysql SELECT * WHERE value = $row['item']

What's the correct way to code the following

SELECT * FROM table WHERE value = $row['item']

$row['item'] echos correctly, but does not seem to work in the mysql query. Been having this problem for a few days. I'开发者_如何转开发ve tried .$row['item']. and a few other variations but I must be doing something wrong.

The better more appropriate approach is to use mysqli and prepared statements ie:

$stmt = $mysqli->prepare("SELECT * FROM table WHERE value =?");
$stmt->bind_param("s",$row['item']);  // I am assuming row['item'] is a string
$stmt->execute();

If you can't use mysqli or absolutely refuse to you can use this:

$query = "SELECT * FROM table WHERE value = '".mysql_real_escape_string($row['item'])."'"; 

The answer sort of depends on what is held within the $row['item'] variable. If it's a numeric value, then the query above should be fine. Since it's not working, I assume that the value of that variable is actually a string. In that case, you need to surround the value in quotes so that the database can correctly identify it as a string value (otherwise, it would just be gibberish "commands" that the database can't identify, causing the query to fail).

Regardless of the above, you shouldn't be directly inserting variables into a query under pretty much any circumstances. The reason is that it opens you up to SQL injection if you're not extremely careful. For example, if your $row['item'] variable was wrapped in single quotes in the query, but contained a single quote in its value, then the database would interpret the quote within the variable as the ending quote for the entire parameter, and it would screw up the query. Worse still, a hacker could take advantage of this to end your query entirely, then add a second query of his own making onto it (or they could introduce a UNION query on the end of the original, etc.). At the very least, you should be running something like mysql_real_escape_string() on the variable before using it:

$sql = "SELECT * FROM table WHERE value = " . 
        mysql_real_escape_string($row['item']);

The best way to get around this and secure your queries is to use prepared statements. These are queries that have placeholders in them instead of concatenated variables. You prepare the query with these placeholders, then you issue additional commands to the database to tell it what values to place in those placeholders. The database then takes care of the tricky issue of sanitizing these variables so that they don't cause any damage. You can use PDO for this:

try {
  $dbh = new PDO(DB_DSN, 
                 DB_USER, 
                 DB_PASS,
                 array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION)
             );
} catch (PDOException $e) {
  echo "Connection failed: " . $e->getMessage();
  exit();
}

// create query with a named placeholder
$sql = "SELECT * FROM table WHERE value = :value";

try {
  $stmt = $dbh->prepare($sql);

  // tell PDO to substitute the value in $row['item']
  // for the named parameter specified above.
  $stmt->bindValue(":value", $row['item']);

  // execute the query and load the results into an array
  $stmt->execute();
  $records = $stmt->fetchAll();

} catch (PDOException $e) {
  echo "Query failed: " . $e->getMessage();
  exit();
}

foreach ($records as $record) {
  // use db records
}

The way I usually recommend doing it is something like this:

$sql = sprintf("SELECT * FROM table WHERE value = '%s'",
    mysql_real_escape_string($row['item']));

$item = mysql_real_escape_string($row['item']);
$mysqlQuery = "SELECT * FROM table WHERE value = '" . $item . "'";

you are missing single quotes

SELECT * FROM table WHERE value = '{$row['item']}'

PHP example