-3

I am a newbie, a real newbie when it's up to php...

I am building a form which gets information from the database and outputs the information for that specific selection, i have this code here:

$SQL ="SELECT hostess_id FROM hostess WHERE first_name_en="'.addslashes($_GET["titles"]).'""; 
?>

But it gives me an error, i mean it's not correct. How am i supposed to echo the results of this query?

Thanks

mgraph
  • 15,238
  • 4
  • 41
  • 75
Landi
  • 15
  • 5
  • 3
    And again the SO parser comes to rescue. BTW, is it so hard to use IDE - any IDE, even the simplest one - to check the syntax of your code before asking here? ) – raina77ow Jun 18 '12 at 10:00
  • 3
    addslashes() will *not* protect you query from attack –  Jun 18 '12 at 10:03
  • 1
    [Best way to prevent SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) – PeeHaa Jun 18 '12 at 10:07
  • I think this is a valid question and should not be closed or down voted. He just didn't know any better! He described his problem and posted code. I don't think he did anything wrong. Also it's his first question. Be polite, please! – PiTheNumber Jun 18 '12 at 10:13
  • @PiTheNumber I voted to close after you told me not to, just thought you should know for next time. No one is found of being told how to act. It's not as if you answered the question or added anything to it but your criticism of others. –  Jun 18 '12 at 10:29
  • Taulant, I think what @raina77ow is suggesting is that if you install Eclipse/Netbeans, this would be revealed as an error in the IDE - making the process easier for you `:)` – halfer Jun 18 '12 at 10:29
  • Thanks everyone for the suggestion, i'll install Netbeans right now :) – Landi Jun 18 '12 at 10:34
  • @Dagon I did not meant to tell anyone what to do, I just said what I thought. The question was already answered, there was nothing to add. Also I did some research I found this explaining post on the topic: http://blog.stackoverflow.com/2011/02/are-some-questions-too-simple/ – PiTheNumber Jun 18 '12 at 10:35

1 Answers1

4

instead of : 

"'.addslashes($_GET["titles"]).'"

do:

'".addslashes($_GET["titles"])."'

result:

$SQL ="SELECT hostess_id FROM hostess WHERE first_name_en='".addslashes($_GET["titles"])."'"; 

$query = mysql_query($SQL) or die(mysql_error());
while($res = mysql_fetch_assoc($query)){
   echo $res["hostess_id"];
}

NB :

stop writing new code with the ancient mysql_* functions. They are no longer maintained and community has begun the deprecation process . Instead you should learn about prepared statements and use either PDO or MySQLi. If you cannot decide, this article will help to choose. If you care to learn, here is a quite good PDO-related tutorial

mgraph
  • 15,238
  • 4
  • 41
  • 75