strange php variable to mysql problem

teknicalissue · May 18 '09, 08:20 PM (#1)

in my block of code

PHP Code:


			
class DeleteClass{
    public function deleteSomething($item2,$uniqueField2,$table2){

        $query = mysql_query("DELETE FROM '$table2' WHERE '$uniqueField2' = '$item2'");
  if(!query){
      echo mysql_error();
  }
}
}

this returns an error... but if i remove the single quotes from the php variables in the query.. it works.. why??? i thought you were supposed to add single quotes to php variables in querys?

**mlseim** · May 19 '09, 07:59 AM (#2)

Don't be afraid to use Google for questions like these:
http://www.google.com/search?hl=en&q...=mysql+single+

curare · May 19 '09, 12:04 PM (#3)

That is because, the $table2 variable should be backticked. So your code becomes:

PHP Code:


			
class DeleteClass{
    public function deleteSomething($item2,$uniqueField2,$table2){

        $query = mysql_query("DELETE FROM `$table2` WHERE '$uniqueField2' = '$item2'");
  if(!query){
      echo mysql_error();
  }
}
}

The backtick is the character under the tilde (~) on most keyboards.

teknicalissue · May 19 '09, 01:31 PM (#4)

Quote:

Originally Posted by mlseim

Don't be afraid to use Google for questions like these:
http://www.google.com/search?hl=en&q...=mysql+single+

i did look it up in google.. i couldn't find it thus i came here.. thank you for the link though.

now that im here, why does the table name need to be backticked? (i can look this up on google but now that im getting replies i would like a more in depth explanation)

curare · May 19 '09, 01:49 PM (#5)

I believe it's to differentiate it from a field, but there is probably more to it that just that.

Eddy Bones · May 19 '09, 02:29 PM (#6)

Table and field names technically do not need to be quoted or backticked. I'm not aware of any standard that is met by doing so. However, I have often seen table names and such backticked. Maybe I'm just a lazy programmer

As far as I know, PHP does not parse variables that are wrapped in single quotes. If you wanted to use them you'd have to start concatenating the query string like this:

PHP Code:


			
$query = mysql_query("DELETE FROM '".$table2."' WHERE '".$uniqueField2."' = '".$item2."'");

That gets pretty crazy... I suppose that's a good reason why backticks can be used, since single quotes are such a widely-used syntactical element in many languages and will potentially blow things up.

teknicalissue · May 20 '09, 01:00 PM (#7)

ok thank you, im still a tad bit confused though i got my information from this mysql post http://forums.mysql.com/read.php?52,...437#msg-247437
and ive been using this technique for months now. this is the first time where this has failed lol if this is wrong then why does it work? if its not then why doesn't it work for this specific instance?. while im at it, can anyone explain %S for me? lol i look it up in google and it completly ignores my query.

Danny[MLWA] · June 10 '09, 04:17 AM (#8)

Absolute best way to stop hackers dead in their tracks, is to make sure that ANY and ALL input fields are protected with:

Code:

$post_this_val_instead = mysql_real_escape_string($_POST['some_field_name']);

Wham, all injections halted =)

http://us3.php.net/manual/en/functio...ape-string.php

Quote:

Originally Posted by teknicalissue

in my block of code

PHP Code:


			
class DeleteClass{

    public function deleteSomething($item2,$uniqueField2,$table2){



        $query = mysql_query("DELETE FROM '$table2' WHERE '$uniqueField2' = '$item2'");

  if(!query){

      echo mysql_error();

  }

}

}

this returns an error... but if i remove the single quotes from the php variables in the query.. it works.. why??? i thought you were supposed to add single quotes to php variables in querys?

instead of using 's use `s instead...

PHP Code:


			
class DeleteClass{

    public function deleteSomething($item2,$uniqueField2,$table2){



        $query = mysql_query("DELETE FROM `" . $table2 . "` WHERE `" . $uniqueField2 . "` = `" . $item2 . "`");

  if(!query){

      echo mysql_error();

  }

}

}

Also I broke the query up into a breaking string for you as well with the quotes and periods. When you use "'s in a query like that you're telling php to try and detect any variables in that string... Sometimes there aren't any and sometimes I just can't find them or thinks that it is not a variable where there is not a space before the variable... so '$variable would be skipped as a variable... Where as ' $variable would work. The safest way to do it is like so:

Code:

"SELECT * FROM `" . $tablename . "` WHERE....."