Don't hard code your escape sequences, let the database functions do it. Also the quoting is important, use double quotes surrounding anything single quoted where you have variable expansion.
do something like: $lname= db2_escape_string(trim($_REQUEST['last_name'])); $sql = "SELECT * FROM users where LCASE(LAST_NAME) = '$lname'"; Try that out. Also, now everyone knows your database password. --Donald On Thu, Jun 30, 2011 at 12:58 PM, robert mckennon <[email protected]> wrote: > Help.... > > I'm trying to query a db2 database from PHP, passing the $sql > statement a variable... > > This statement works fine without passing it a variable... > $sql = 'SELECT * FROM users where LCASE(last_name) = \'mckennon\';'; > > The problem comes in when I get the last_name from a previous web page > passed in via a POST: > $lname = $_POST['last_name']; > > > I've tried the following so far: > tried: > $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = \'$lname\';'; > yeilds: > sql statement is: SELECT * FROM users where LCASE(LAST_NAME) = '$lname'; > > tried: > $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = '$lname';'; > yeilds: > [Thu Jun 30 13:07:18 2011] [error] [client 10.11.250.48] PHP Parse > error: syntax error, unexpected T_VARIABLE in > /var/www/html/db2_search.php on line 13 > > tried: > $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = $lname;'; > yields: > sql statement is: SELECT * FROM users where LCASE(LAST_NAME) = $lname; > and > [Thu Jun 30 13:09:26 2011] [error] [client 10.11.250.48] PHP > Warning: db2_execute() [<a > href='function.db2-execute'>function.db2-execute</a>]: Statement > Execute Failed in /var/www/html/db2_search.php on line 16 > > > Can someone tell me what stupid thing I'm missing? > > rob. > > p.s. > > Here's an excerpt from the code: > > <?php > # /var/www/html/db2_search.php > $lname = $_POST['last_name']; > echo "lastname is : ", $lname, "<br />"; > $database = 'xxxx'; > $user = 'db2inst1'; > $password = 'db2inst1'; > > $conn = db2_connect($database, $user, $password); > > if ($conn) { > echo "connection successful. <br />"; > $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = $lname;'; > echo "sql statement is: ", $sql, "<br />"; > $stmt = db2_prepare($conn, $sql); > $result = db2_execute($stmt); > .... > > --------------------------------------------------------------------- > Archive http://marc.info/?l=jaxlug-list&r=1&w=2 > RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml > Unsubscribe [email protected] > > -- Donald Cowart http://www.rdex.net/ --------------------------------------------------------------------- Archive http://marc.info/?l=jaxlug-list&r=1&w=2 RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml Unsubscribe [email protected]
