I was testing a simple employee application and got this Unknown column 'mush' in 'where clause' error. Ther开发者_运维百科e is someone called 'mush' in the name's column.
Here's my code
<?php
// Connects to your Database
mysql_connect("localhost", "myuser", "mypass") or die(mysql_error()) ;
mysql_select_db("peoplesdb") or die(mysql_error()) ;
//Retrieves data from MySQL
$data = mysql_query("SELECT * FROM employees WHERE name = $_GET[name]") or die(mysql_error());
echo "<table border=\"1\">";
echo "<tr>";
echo "<th>First Name:</th>";
echo " <td>Last Name</td>";
echo "</tr>";
echo "<tr>";
echo "<th rowspan=\"3\"><img src=\"../about/images/".$data['photo']."\" width=\"205\" height=\"205\" alt=\"\" title=\"\"></th>";
echo $data['name'];
echo "<td>".$data['name'] ."</td>";
echo "</tr>";
echo "<tr>";
echo "<td>".$data['lastname'] ."</td>";
echo "</tr>";
echo "</table>";
?>
The aim was to display the detail on a table with a picture to the left of the table. Here's how I tried calling the application:
http://localhost:8080/displaymembers.php?name=mush.
I have a table which contains these columns:
name, photo, telephone, lastname and dob.
Is there anything I'm going wrong that stops the details from displaying? I would like your help.
Helen.
First, you need to quote your inputs, second you need to escape them:
mysql_query("SELECT * FROM employees WHERE name = '".
mysql_real_escape_string( $_GET['name'] ) ."'");
You need to enclose it in quotes - e.g.
SELECT * FROM employees WHERE name = '{$_GET[name]}'
I would also suggest you use mysql_real_escape_string:
$data = mysql_query("SELECT * FROM employees WHERE name = '" . mysql_real_escape_string($_GET['name']) . "';") or die(mysql_error());
Try those put single quotes around your variable.
$_GET['name'];
And use mysql_real_escape_string to avoid SQL Injections.
you should try
$data = mysql_query("SELECT * FROM `employees` WHERE `name` = '".mysql_real_escape_string($_GET['name'])."'") or die(mysql_error());
as name
may be reserved for mysql purposes, and I believe it is ...
精彩评论