0

I have a table called cms_settings. I name all the tabels with a prefix cms_ so i created a variable $dbpraefix="cms_" when i call the entry using "select value from $dbpraefix.settings" command, it failed to proceed.

i also tried defferent version. like "select from '.$dbpraefix.'settings etc. nothing works.

but if i use "select value from cms_settings instead, it works!. how can i fix this. thanks a lot

 <?PHP
    function getSetting($property){
    global $connection;
    $dbpraefix= "cms_";
    $sql= "SELECT value FROM $dbpraefix.settings WHERE property='$property'";
    $ergebnis= mysqli_query($connection, $sql);
    $row = mysqli_fetch_row($ergebnis);
    return $row[0];
    }
?>
Improve this question
4
  • WARNING: When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation or concatenation to accomplish this because you have created a severe SQL injection bug. NEVER put $_POST or $_GET data directly into a query, it can be very harmful if someone seeks to exploit your mistake. Commented Sep 3, 2016 at 4:49
  • thanks tadman. im new in PHP so i still dont understand your advice. but ill come back to see this post again in 6 months :) i hope to understand it there. Commented Sep 3, 2016 at 7:41
  • There's a lot of dangerous people out there that will probe your site if this code is public and look for problems. Don't get caught out. Using placeholder values isn't hard and actually makes your code a lot cleaner and easier to read. Commented Sep 3, 2016 at 7:47
  • is this question still open? I don't see any accepted answer down there. Commented Sep 13, 2016 at 13:46

4 Answers 4

Reset to default
3

Your query fails because in the string "...$dbapraefix.settings..." PHP doesn't realize that you want the . in the middle to be the string concatenation operator instead of a simple dot. As a result the string becomes cms_.settings instead of cms_settings

Change:

"SELECT value FROM $dbpraefix.settings WHERE property='$property'";

To

"SELECT value FROM {$dbpraefix}settings WHERE property='$property'";
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

"SELECT value FROM {$dbpraefix}settings WHERE property='{$property}'"; I like being consistent when using brackets :)
0

You have a dot between the prefix and table name, that's why it won't work.

Try this: " . $dbpraefix . "settings.

Improve this answer

Comments

0

The easiest way is to add a new parameter to your function so that when pass into the function it specify the table's name Eg : $table = "settings";

function getSetting($property,$table){
global $connection;
$table= "cms_".$table;
$sql= "SELECT value FROM $table WHERE property='$property'";
$ergebnis= mysqli_query($connection, $sql);
$row = mysqli_fetch_row($ergebnis);
return $row[0];
}
Improve this answer

Comments

0

change your query as below

$sql= "SELECT value FROM ".$dbpraefix."settings WHERE property='$property'";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.