PHP string variable in WHERE clause MySQL

Question

I am having a problem with this simple sql query:

<?php 
require_once('../../Connections/tohoshows.php'); 

$show ='gothaf';

mysql_select_db($database_tohoshows, $tohoshows);
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
$getShows = mysql_query($query_getShows, $tohoshows) or die(mysql_error());
$row_getShows = mysql_fetch_assoc($getShows);
$totalRows_getShows = mysql_num_rows($getShows);

mysql_free_result($getShows);
?>

When I use the string directly in the WHERE clause like this

 $query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='gothaf'";

I get a result. When I use the variable instead, I get no data! I am a novice and I can't figure out what am I doing wrong. Any help would be appreciated. Thank you!

Answer 1

you getting no date because you have extra space betwee the quotes,

$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
                                                                    ^ HERE      ^

which will then be parsed into

SELECT * FROM toho_shows WHERE toho_shows.show =' gothaf '

---

remove it and it will work

$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='". $show. "'";

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

• How to prevent SQL injection in PHP?