Member Avatar for spideyprasad

I created a php page.
this is my code.

$con=mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$sql = mysql_query("SELECT * FROM $tbl_name WHERE (Order = '" . $_POST['order'] . "')") or die(mysql_error());

But its showing error like this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Order = 'xx')' at line 1

Please clear my error.

Edited by Ezzaral because: Added code tags. Please use them to format any code that you post.
  • 4 Contributors
  • 3 Replies
  • 129 Views
  • 21 Hours Discussion Span
  • Latest Post Latest Post by monica singh

Recommended Answers

All 3 Replies

Member Avatar for theonly

Your error occurred with the used of ". In other words you used " too many times.

Member Avatar for quasipickle

Put the query in a string, and output that string. Your query is broken somehow.

Remember to never put raw $_POST data in your query - run it through mysql_real_escape_string() first to avoid injection.

Also, please wrap your code in tags.

Member Avatar for monica singh

Hi, jus try to do like this.....

<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    OR die(mysql_error());

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
?>
Edited by Ezzaral because: Added code tags. Please use them to format any code that you post.
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.