Passing PHP variables into sql query

how to include a php variable in a mysql select query
php variable in sql query
php sql query
php set variable from sql query
how to use php variable in mysqli query
php mysql query result
how to pass variable in mysql query
insert query in php

I would like to create a filter, and pass both category and the value into the sql query in the WHERE clause. If i set manually the category, it gets the values and filters the results. But when I want to pass the category, it gives me this error.

Here is the code I use:

$('#filterEvents').click(function () {
    document.location.href = 'events.php?filter=' + $('#eventFilterOption').val() + '&filterValue=' + $('#eventFilterInput').val();
});

And the PHP processing:

$category = $_GET['filter'];
$searchValue = $_GET['filterValue'];

$sql = "SELECT EV_Date, EV_KKZ, EV_CardNr, TE_Name, EV_Name, EV_SurName, EV_EventTyp FROM events1
    INNER JOIN terminal1 ON terminal1.TE_IDX = events1.EV_FK_TermIDX
    WHERE ".$category." = '" . $searchValue . "'
    ORDER BY EV_Date DESC
    LIMIT 2000";

print_r($sql);

$query = $DB->prepare($sql);
$query->execute();
$data = $query->fetchAll(PDO::FETCH_ASSOC);

If you change the functionality a little you will be able to use the prepared query with bound params.

so say you have filters for colour and size at the moment looks like you would call urls like

events.php?filter=Colour&filterValue=Red
events.php?filter=Size&filterValue=Large

you could change to pass filter[name]=value

events.php?filterColour=Red
events.php?filterSize=Large

Javascript would look something like this

$('#filterEvents').click(function () {
    document.location.href = 'events.php?filter' + $('#eventFilterOption').val() + '=' + $('#eventFilterInput').val();
});

The query could be rewritten as follows (assuming columns of Size and Colour)

$sql = "SELECT EV_Date, ....
WHERE 
  ( '' = :colour OR Colour = :colour ) AND
  ( '' = :size OR Size = :size ) 
ORDER BY ....

and a call to bind the actual params added

$query = $DB->prepare($sql);
$query->bindParam(':colour', $_GET['filterColour'], PDO::PARAM_STR, 12);
$query->bindParam(':size', $_GET['filterSize'], PDO::PARAM_STR, 12);
$query->execute();

This allows you to use prepared queries and avoid risk of SQL injection As a bonus (or bug) it could support multiple filter options at the same time

events.php?filterSize=Large&filterColour=Red

How to include a PHP variable inside a MySQL statement, The rules of adding a PHP variable inside of any MySQL statement are plain and simple: Any variable that represents an SQL data literal, (or, to  declare @sql varchar(100) = 'select 1+1' execute( @sql) All current variables are not visible (except the temporary tables) in a single block of code created by the Execute method. Passing NULL. Pay an extra attention while passing variables with a NULL value. Any merger with NULL will result in NULL, therefore, instead of a query, you may receive an empty string.


You have a problem with getting the variables - the PHP script is not getting the values - so I believe you have a bug in your Javascript.

More importantly, this is not a safe way to run queries. Your PHP is taking variables passed by the user and inserting them directly into SQL - with no validation. It would be very easy to abuse this functionality to extract information or modify your database.

You should use the value of $category to select a known column and then use bind parameters to set $searchValue.

Php variables within mysql query - Databases, is it possible to make a mysql query dynamic in that it will only look for is passed to clientLogin.php via index.php and is then broken into two  You can use ‘@{}’ to surround the variable name, so the query should look something like below. select * from airline_2016_01 where fl_date > @{cutoff_date} And you can click on ‘Get Data’ button. This will replace all the variables inside the query, in this case that is ‘@{cutoff_date}’, before submitting the query to the database.


You have empty values here:

$category = $_GET['filter'];
$searchValue = $_GET['filterValue'];

You should debug the method how you are getting them in js. BTW you will always see that error when open this page /events.php. Because these variables will be empty by default.

[SOLVED] Php variables in sql query, Having trouble, Solution: 1) Never put variables in strings, yes it can be done, but this is really, really, really bad. Only integers and doubles can be passed without quotation marks. 4) You should used prepared statements (which mysqli supports, see PHP  The rules of adding a PHP variable inside of any MySQL statement are plain and simple: Any variable that represents an SQL data literal, (or, to put it simply - an SQL string, or a number) must be added through a prepared statement. No Exceptions.


php variable in mysql query [SOLVED], Are seem to be updating without cleaning your input - use mysql_real_escape_string() and maybe htmlentities() so that input is safe. Try: When you query a linked server, you frequently perform a pass-through query that uses the OPENQUERY, OPENROWSET, or OPENDATASOURCE statement. You can view the examples in SQL Server Books Online to see how to do this by using pre-defined Transact-SQL strings, but there are no examples of how to pass a variable to these functions.


PHP extract() Function, For each element it will create a variable in the current symbol table. This function returns the number of variables extracted on success. Syntax. extract(array,  Auto Generate INSERT. INSERT with IDENTITY. Get Free SQL Tips. By: Jeremy Kadlec. Variables are used as a means to assign values in code rather than hard coding values. In simple examples, variables may seem excessive, but they are a good concept to understand as your development skills progress. In this example, we are going to slightly change


PDOStatement::bindParam - Manual, PDOStatement::bindParam — Binds a parameter to the specified variable name output parameters, and some also as input/output parameters that both send in data and Name of the PHP variable to bind to the SQL statement parameter. When you have to pass in the whole Transact-SQL query or the name of the linked server (or both), use code that is similar to the following sample: DECLARE @OPENQUERY nvarchar(4000), @TSQL nvarchar(4000), @LinkedServer nvarchar(4000) SET @LinkedServer = 'MyLinkedServer'.