On Thu, Jun 30, 2011 at 1:04 PM, The Donald Cowart <[email protected]> wrote: > Don't hard code your escape sequences, let the database functions do > it. Also the quoting is important, use double quotes surrounding > anything single quoted where you have variable expansion. > > do something like: > > $lname= db2_escape_string(trim($_REQUEST['last_name'])); > $sql = "SELECT * FROM users where LCASE(LAST_NAME) = '$lname'"; > > Try that out. > > Also, now everyone knows your database password.
The password, yes, but not the database name. > --Donald Holy BLEEP! That worked! Thank you! It almost seems counter-intuitive (at least for me) that more quotes are needed in order to pass in a variable... Rob. > > > On Thu, Jun 30, 2011 at 12:58 PM, robert mckennon <[email protected]> > wrote: >> Help.... >> >> I'm trying to query a db2 database from PHP, passing the $sql >> statement a variable... >> >> This statement works fine without passing it a variable... >> $sql = 'SELECT * FROM users where LCASE(last_name) = \'mckennon\';'; >> >> The problem comes in when I get the last_name from a previous web page >> passed in via a POST: >> $lname = $_POST['last_name']; >> >> >> I've tried the following so far: >> tried: >> $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = \'$lname\';'; >> yeilds: >> sql statement is: SELECT * FROM users where LCASE(LAST_NAME) = '$lname'; >> >> tried: >> $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = '$lname';'; >> yeilds: >> [Thu Jun 30 13:07:18 2011] [error] [client 10.11.250.48] PHP Parse >> error: syntax error, unexpected T_VARIABLE in >> /var/www/html/db2_search.php on line 13 >> >> tried: >> $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = $lname;'; >> yields: >> sql statement is: SELECT * FROM users where LCASE(LAST_NAME) = $lname; >> and >> [Thu Jun 30 13:09:26 2011] [error] [client 10.11.250.48] PHP >> Warning: db2_execute() [<a >> href='function.db2-execute'>function.db2-execute</a>]: Statement >> Execute Failed in /var/www/html/db2_search.php on line 16 >> >> >> Can someone tell me what stupid thing I'm missing? >> >> rob. >> >> p.s. >> >> Here's an excerpt from the code: >> >> <?php >> # /var/www/html/db2_search.php >> $lname = $_POST['last_name']; >> echo "lastname is : ", $lname, "<br />"; >> $database = 'xxxx'; >> $user = 'db2inst1'; >> $password = 'db2inst1'; >> >> $conn = db2_connect($database, $user, $password); >> >> if ($conn) { >> echo "connection successful. <br />"; >> $sql = 'SELECT * FROM users where LCASE(LAST_NAME) = $lname;'; >> echo "sql statement is: ", $sql, "<br />"; >> $stmt = db2_prepare($conn, $sql); >> $result = db2_execute($stmt); >> .... >> >> --------------------------------------------------------------------- >> Archive http://marc.info/?l=jaxlug-list&r=1&w=2 >> RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml >> Unsubscribe [email protected] >> >> > > > > -- > Donald Cowart > http://www.rdex.net/ > --------------------------------------------------------------------- Archive http://marc.info/?l=jaxlug-list&r=1&w=2 RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml Unsubscribe [email protected]
