in my block of code

PHP How do I post PHP blocks?

class DeleteClass{
    public function deleteSomething($item2,$uniqueField2,$table2){

        $query = mysql_query("DELETE FROM '$table2' WHERE '$uniqueField2' = '$item2'");
  if(!query){
      echo mysql_error();
  }
}
} 


this returns an error... but if i remove the single quotes from the php variables in the query.. it works.. why??? i thought you were supposed to add single quotes to php variables in querys?

Don't be afraid to use Google for questions like these:
http://www.google.com/search?hl=en&q...ysql+singl e+

That is because, the $table2 variable should be backticked. So your code becomes:

PHP How do I post PHP blocks?

class DeleteClass{
    public function deleteSomething($item2,$uniqueField2,$table2){

        $query = mysql_query("DELETE FROM `$table2` WHERE '$uniqueField2' = '$item2'");
  if(!query){
      echo mysql_error();
  }
}
} 


The backtick is the character under the tilde (~) on most keyboards.

Posted by mlseim How do I post quotes?

Don't be afraid to use Google for questions like these:
http://www.google.com/search?hl=en&q=mysql+single+quote+in+query&cts=1242734304962&aq=6&oq=mysql+singl e+

i did look it up in google.. i couldn't find it thus i came here.. thank you for the link though.

now that im here, why does the table name need to be backticked? (i can look this up on google but now that im getting replies i would like a more in depth explanation)

I believe it's to differentiate it from a field, but there is probably more to it that just that.

Table and field names technically do not need to be quoted or backticked. I'm not aware of any standard that is met by doing so. However, I have often seen table names and such backticked. Maybe I'm just a lazy programmer

As far as I know, PHP does not parse variables that are wrapped in single quotes. If you wanted to use them you'd have to start concatenating the query string like this:

PHP How do I post PHP blocks?

$query = mysql_query("DELETE FROM '".$table2."' WHERE '".$uniqueField2."' = '".$item2."'"); 


That gets pretty crazy... I suppose that's a good reason why backticks can be used, since single quotes are such a widely-used syntactical element in many languages and will potentially blow things up.

ok thank you, im still a tad bit confused though i got my information from this mysql post http://forums.mysql.com/read.php?52,...437#msg-247437
and ive been using this technique for months now. this is the first time where this has failed lol if this is wrong then why does it work? if its not then why doesn't it work for this specific instance?. while im at it, can anyone explain %S for me? lol i look it up in google and it completly ignores my query.

Absolute best way to stop hackers dead in their tracks, is to make sure that ANY and ALL input fields are protected with:

Code How do I post code blocks?

$post_this_val_instead = mysql_real_escape_string($_POST['some_field_name']);

Wham, all injections halted =)

http://us3.php.net/manual/en/functio...ape-string.php

Posted by teknicalissue How do I post quotes?

in my block of code

PHP How do I post PHP blocks?

class DeleteClass{
    public function deleteSomething($item2,$uniqueField2,$table2){

        $query = mysql_query("DELETE FROM '$table2' WHERE '$uniqueField2' = '$item2'");
  if(!query){
      echo mysql_error();
  }
}
} 


this returns an error... but if i remove the single quotes from the php variables in the query.. it works.. why??? i thought you were supposed to add single quotes to php variables in querys?

instead of using 's use `s instead...

PHP How do I post PHP blocks?

class DeleteClass{
    public function deleteSomething($item2,$uniqueField2,$table2){

        $query = mysql_query("DELETE FROM `" . $table2 . "` WHERE `" . $uniqueField2 . "` = `" . $item2 . "`");
  if(!query){
      echo mysql_error();
  }
}
} 


Also I broke the query up into a breaking string for you as well with the quotes and periods. When you use "'s in a query like that you're telling php to try and detect any variables in that string... Sometimes there aren't any and sometimes I just can't find them or thinks that it is not a variable where there is not a space before the variable... so '$variable would be skipped as a variable... Where as ' $variable would work. The safest way to do it is like so:

Code How do I post code blocks?

"SELECT * FROM `" . $tablename . "` WHERE....."