Hope someone can help me
I have declared the variable
<?php $sitename = "http://" .$_SERVER["SERVER_NAME"]; ?>
and would like to use the variable in a mysql query:
$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = "echo $sitename" AND g_page_url = '/index.asp'";
How do I do the "echo $sitename" part? thanks
$sitename = "http://" .$_SERVER["SERVER_NAME"];
$sitename = mysql_real_escape_string($sitename);
$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = '" . $sitename . "' AND g_page_url = '/index.asp'";
mysql_real_escape_string always when you have to put any untrusted data in SQL queries. If you use integer values, parse it to int: $id = (int) $_GET['id'], etc$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = '". mysql_real_escape_string($sitename) . "' AND g_page_url = '/index.asp'";
Two things to pull away from this:
You don't want to echo a variable "into" a sql query, this just doesn't make sense. You want to concatonate the variable with the rest of the string with the "." operator.
You ALWAYS want to sanitize your input when inserting something into a database. In this case you want to escape your string to prevent SQL injections.
$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = '".$sitename."' AND g_page_url = '/index.asp'";
$query_rs_main = "SELECT * FROM g_page WHERE g_page_site = $sitename AND g_page_url = '/index.asp'";
