[RESOLVED] Problem with MYSQL query

K0108788

I keep getting the same error with this query:

$query = 	"SELECT  lecturer_role, SK_ID, LK_ID FROM student_project " .
		"WHERE LK_ID = ' " . $_POST['username'] . " '; " .
		"AND SK_ID = ' " . $_POST['SK_ID'] . " '; " .
		"AND lecturer_role = ' " . $_POST['lecturer_role'] . " '; ";
$result =	mysql_query($query)

This is the error msg:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '; AND SK_ID = ' '; AND lecturer_role = ' '' at line 1

rincewind456

You don't need all that concatination.
You cant have ; in the middle of an sql statement as it is a delimeter, so every time sql see's a ; it assumes the previous query is complete and a new one is starting, so with your syntax it thinks your trying to run 3 queries.
This should work

$query =     "SELECT  lecturer_role, SK_ID, LK_ID FROM student_project 
WHERE LK_ID = ' " . $_POST['username'] . " ' 
AND SK_ID = ' " . $_POST['SK_ID'] . " ' 
AND lecturer_role = ' " . $_POST['lecturer_role'] . " '"; 
$result =    mysql_query($query)

bpat1434

K0:
It's good that you're concatenating like that though. It helps for when you want to validate or ensure that hacking attempts aren't being tried. Concatenation is the first step. The next is to actually try and prohibit the hacking from affecting you with [man]mysql_real_escape_string/man around each $_POST[] item....

But, if you don't like concatenation (like some don't), you could do it this way:

<?php
$uname = mysql_real_escape_string($_POST['username']);
$skid = mysql_real_escape_string($_POST['SK_ID']);
$lrole = mysql_real_escape_string($_POST['lecturer_role']);

// Now, all our strings are most likely free of hacking issues (no guarantee)
$query = "SELECT lecturer_role, SK_ID, LK_ID
FROM student_project
WHERE LK_ID='$uname'
    AND SK_ID='$skid'
    AND lecturer_role='$lrole'";
$result = mysql_query($query);

Now, the reason the query is broken up on lines is because when you run the mysql_error() function, it gives a line number. Break the query up on lines, you can quickly find it. It's most helpful on long complicated queries.