Concatenating a variable in a mysql_query string

BenSeagrave

I'm trying to concatenate a variable in a mysql_query string but whatever I try, I get an error. I've been trying to figure this out for the past few days and I've looked online for a solution but couldn't find nothing to help.

Here's the string:

$query = 'SELECT review_movie_id, review_date, reviewer_name, review_comment,
			review_rating
	     FROM reviews
	     WHERE review_movie_id = ' . $_GET['movie_id'] . '
             ORDER BY ' . $sort . ' ASC';

And these are the errors I'm getting:

Notice: Undefined index: review_date in C:\xampp\htdocs\PHP\Chapter 4\movie_details.php on line 177

Notice: Undefined index: reviewer_name in C:\xampp\htdocs\PHP\Chapter 4\movie_details.php on line 178

Notice: Undefined index: review_comment in C:\xampp\htdocs\PHP\Chapter 4\movie_details.php on line 179

Notice: Undefined index: review_rating in C:\xampp\htdocs\PHP\Chapter 4\movie_details.php on line 180

I've tried so many different things but nothing seems to work I just get different error messages. Hopefully someone here can help.

Thanks!

BenSeagrave

I'm currently going through a book on PHP and he hasn't yet gone through SQL Injection but I do know a little bit about it and I know that he does cover it later on in the book. But thanks for your concern!

Here is a bigger chunk of my code, including the lines you asked for:

if (isset($_GET['sort'])) {
	$sort = $_GET['sort'];
} else {
	$sort = 'review_date';
}
$
//retrieve reviews for this movie
$query = 'SELECT review_movie_id, review_date, reviewer_name, review_comment,
				 review_rating
		  FROM reviews
		  WHERE review_movie_id = ' . $_GET['movie_id'] . '
		  ORDER BY ' . $sort . ' ASC';
$result = mysql_query($query, $db) or die(mysql_error($db));
$mid = $result['review_movie_id'];
//display the reviews
echo <<<ENDHTML
	<h3><em>Reviews</em></h3>
	<table cellpadding="2" cellspacing="2" style="width: 90%; margin-left: auto; margin-right: auto;">
	<tr>
		<th style="width: 7em;"><a href=movie_details.php?movie_id=$mid&sort=review_date">Date</a></th>
		<th style="width: 10em;"><a href=movie_details.php?movie_id=$mid&sort=reviewer_name">Reviewer</a></th>
		<th><a href=movie_details.php?movie_id=$mid&sort=review_comment">Comments</a></th>
		<th style="width: 5em;"><a href=movie_details.php?movie_id=$mid&sort=review_rating">Rating</a></th>
	</tr>
ENDHTML;

while ($row = mysql_fetch_assoc($result)) {
	$date = $row['review_date'];
	$name = $row['reviewer_name'];
	$comment = $row['review_comment'];
	$rating = generate_ratings($row['review_rating']);
	echo <<<ENDHTML
	<tr>
		<td style="verticle-align: top; text-align: center;">$date</td>
		<td style="verticle-align: top;">$name</td>
		<td style="verticle-align: top;">$comment</td>
		<td style="verticle-align: top;">$rating</td>
	</tr>
ENDHTML;
}
echo <<<ENDHTML
</div>
</body>
</html>
ENDHTML;
?>

Lines 177-180 are the lines that I set the variables in the where loop:

	$date = $row['review_date'];
	$name = $row['reviewer_name'];
	$comment = $row['review_comment'];
	$rating = generate_ratings($row['review_rating']);

NogDog

For debugging purposes, try something like this:

while ($row = mysql_fetch_assoc($result)) { 
    // DEBUG:
    die("<pre>DEBUG:\n".print_r($row, true)."</pre>";
    // ...rest of code...

Check the output of the print_r() and make sure that the element names of $row exactly match (or even exsit) the array keys are are using in the following lines.

Derokorian

$mid = $result['review_movie_id'];

This line is wrong, $result is a mysql result resource, not an array. This should be one of your undefined index errors.

ENDHTML;}

When using HEREDOC syntax only the terminating string and optionally a semi-colon may appear on the line ending the HEREDOC. There may be no white-space or mark up of other kinds (aka this brace). This should be causing a parse error: unexpected end. I imagine it could be a copy paste error.

Make those changes, and report back the result of that plus NogDog's suggestion.