1

Here is my php code and i want to get JSON array relevant to to my $_GET("ProductGroup") variable. but when i log in to the page by submitting parameters via URL http://iilsfa.br0s.info/SFA/get_all_products.php?%27Laptops%27 it displays this error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

i could not find where the error is. please help

<?php
 include_once './db_connect.php';

function getProducts(){
$db = new DB_CONNECT();
// array for json response
$response = array();
$response["products"] = array();

// Mysql select query

// check for post data
 if (isset($_GET["ProductGroup"])) {
$selected_group = $_GET['ProductGroup'];
}


$result = mysql_query("SELECT * FROM Product WHERE ProductType= $selected_group")or die(mysql_error());


while($row = mysql_fetch_array($result)){
    // temporary array to create single category

    $tmp = array();
    $tmp["id"] = $row["ProductID"];
    $tmp["name"] = $row["ProductName"];
    $tmp["type"] = $row["ProductType"];
    $tmp["image"] = $row["ProductImage"];
    $tmp["des"] = $row["ProductDescription"];


    // push category to final json array
    array_push($response["products"], $tmp);
}

// keeping response header to json
header('Content-Type: application/json');

// echoing json result
echo json_encode($response);
 }

 getProducts();
 ?>

PS- I have changed my sql query to this

$result = mysql_query("SELECT * FROM Product WHERE ProductType=   '".mysql_real_escape_string('$selected_group')."'")or die(mysql_error());

Now its not displaying the previous error.but showing an empty json string. i have checked SQL query with phpmyAdmin.it working correctly and produce results..

Improve this question
1
  • See the single quotes ? ProductType= '$selected_group' Commented Apr 8, 2014 at 6:27

3 Answers 3

Reset to default
3

try this below. Dont use simple query. See SQL injection. SQL Injection use mysql_real_escape_string to prevent from sql injection 

<?php
 include_once './db_connect.php';

function getProducts(){
$db = new DB_CONNECT();
// array for json response
$response = array();
$response["products"] = array();

// Mysql select query

// check for post data
 if (isset($_GET["ProductGroup"])) {
$selected_group = $_GET['ProductGroup'];
}


$result = mysql_query("SELECT * FROM Product WHERE ProductType= '".mysql_real_escape_string($selected_group)."'")or die(mysql_error());


while($row = mysql_fetch_array($result)){
    // temporary array to create single category

    $tmp = array();
    $tmp["id"] = $row["ProductID"];
    $tmp["name"] = $row["ProductName"];
    $tmp["type"] = $row["ProductType"];
    $tmp["image"] = $row["ProductImage"];
    $tmp["des"] = $row["ProductDescription"];


    // push category to final json array
    array_push($response["products"], $tmp);
}

// keeping response header to json
header('Content-Type: application/json');

// echoing json result
echo json_encode($response);
 }

 getProducts();
 ?>
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

i have changed my code in to this $result = mysql_query("SELECT * FROM Product WHERE ProductType= '".mysql_real_escape_string('$selected_group')."'")or die(mysql_error()); but now the JSON array is empty..can you help..you can see the results by above url..
@san88 Please check record in database relevant to selected ProductType found or not?
yes..database contains 5 records for Laptops keyword and when i execute the sql command in phpMyAdmin, its working correctly..
just echo ("SELECT * FROM Product WHERE ProductType= '".mysql_real_escape_string($selected_group)."'"); and see the query and then run this query in db?
i have add these lines echo "this is a test"; echo ("SELECT * FROM Product WHERE ProductType= '".mysql_real_escape_string($selected_group)."'"); but still not working... you can see the results by using this url iilsfa.br0s.info/SFA/get_all_products.php?%22Laptops%22 please help
|
2

Quote the parameters...

$result = mysql_query("SELECT * FROM Product WHERE ProductType= '$selected_group'")or die(mysql_error());

You must not use mysql_*.
Also look at mysqli_real_escape_string

Improve this answer

Comments

2

First, your code is well documented, even for a starter, not too much, just only on places where it's required.

Now, your error lies in the query itself.

$result = mysql_query("SELECT * FROM Product WHERE ProductType= $selected_group")or die(mysql_error());

If a field in the query is of type string, you must add single quotes around it, or the interpreter will think that you're looking for a column name. Here below is a solution.

$result = mysql_query("SELECT * FROM Product WHERE ProductType= '$selected_group'")or die(mysql_error());

But i would add that your query is not secure. It allows SQL injection, which can harm your database data. for further information about SQLi, please refer to this page

You can go for mysqli() functions, which is an improved version of the mysql()-functions. Although i recommend to use PDO instead.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.