simple select statement

Anon

After a couple of years of perl coding I am delving into php, and have come accross this little select statement that is tripping me up.
suppose
$VarOne = "A";
$VarTwo = "B";
$st = "SELECT * FROM Table WHERE FieldOne = '$VarOne' AND FieldTwo = '$VarTwo' ";
for some reason this kind of statement produces an error of "Unknown column 'blah' in 'where clause' " --- where blah displays the value of $VarOne

However if I specify the values in the sql statement such as
$st = SELECT * FROM Table WHERE FieldOne = 'A' AND FieldTwo = 'B' ";
everything will work just fine

my problem seems to be the usage of single quotes '
but I cant seem to figure out what is going wrong here.

any help would be appreciated
kevin

Anon

Try this:

$st = "SELECT * FROM Table WHERE FieldOne = '" . $VarOne . "' AND FieldTwo = '" . $VarTwo . "' ";

or with PHP4 (I think..)

$st = "SELECT * FROM Table WHERE FieldOne = '{$VarOne}' AND FieldTwo = '{$VarTwo}' ";

Anon

thanks for the input but no dice... it still bombs out every time. Maybe I should include a bit more code and explanation

what I have is a recursive function whose arguments are a criteria and a id to look up.
what this is for is a org chart lookup so that for example a criteria of Manager with a id of 12345 will then display all managers beneath them and all the employs below them in the org chart as well. Kind of a tree like lookup. So here is some of the code and errors that I get

now if I supply a hardcoded sql statement with the WHERE clause being something like .... WHERE Type = 'Manager' and ReportsToID='12345' then everything works like a charm, but when I use variables I get several different errors ranging from parse errors on line ... (the line of the sql statement) to Netscape errors of the dreaded "no data found" or IE errors of "page can not be displayed"

so it sounds like some sort of variable interpolation problem within the WHERE clause of the variable $statement
I have tried all of the following WHERE clauses with no avail
... WHERE Type = {$crit} and ReportsToID = {$id} ";
... WHERE Type = '$crit' and ReportsToID = '$id' ";
... WHERE Type = ' " . $crit ." ' and ReportsToID = ' " . $id} . " ' ";
... WHERE Type = ' \'$crit\' ' and ReportsToID = ' \'$id\' ' ";
... WHERE Type = $crit and ReportsToID = $id ";
... WHERE Type = ' '$crit' ' and ReportsToID = ' '$id' ' ";
Since all of this

function doQuery($criteria, $id){

if ($criteria == "Manager") {
$crit = "Manager";

$statement = "SELECT ID, FirstName, LastName, Type, EmailAddress, ReportsToID, ReportsToName FROM OrgChart WHERE Type = {$crit} and ReportsToID = {$id} ";
}

elseif ($criteria == "Employee") {
$crit = "Employee";
$statement = "SELECT ID, FirstName, LastName, Type, EmailAddress, ReportsToID, ReportsToName FROM OrgChart WHERE Type = {$crit} and ReportsToID = {$id} ";;
}

else{
$msg = "You must specify a search criteria as you searched for $criteria and the userid supplied is $username";
printError($msg);
}

if (!($link=mysql_connect($hostName, $userName, $passWord))){
printError(sprintf("error contecting to host %s, by user %s", $hostName, $userName));
}
// Select the db
if (!mysql_select_db($databaseName, $link)){
printError(sprintf("Error in selecting %s database", $databaseName));
printError(sprintf("Error:%d %s", mysql_errno($link), mysql_error($link)));
}
// Here we are getting the users information by constructing a SQL statement
if (!($result = mysql_query($statement, $link))){
printError(sprintf("Error in executing %s statement", $statement));
printError(sprintf("Error:%d %s", mysql_errno($link), mysql_error($link)));
exit();
}
$num = mysql_num_rows ($result);
// no records found thus a userid was not passed;
if ($num == 0){
// NO RECORDS WERE FOUND SO I NEED TO DISPLAY THE DEFAULTS
// AND EXIT THE FUNCTION
}
else{
while (($row = mysql_fetch_object($result))){
$ID = $row->ID;
$FirstName = $row->FirstName;
$LastName = $row->LastName;
$Type = $row->Type;
$EmailAddress = $row->EmailAddress;
$ReportsToId = $row->ReportsToID;
$ReportsToName = $row->ReportsToName;

echo("<tr>");
echo("<td><a href=\"details.php?id=$ID\">$FirstName $LastName</a></td>");
echo("<td>$Type</td>");
echo("<td><a href=\"mailto:$EmailAddress\">$EmailAddress</a></td>");
echo("<td><a href=\"details.php?id=$ReportsToId\">$ReportsToName</a></td>");
echo("</tr>");
}
}
doQuery("$crit", "$ID");
}

Kudos to those who made it this far, and even more kudos for those with any ideas.

Anon

Did you try printing the $st after you create it so you can see just what it is trying to send to the database?

Anon

great point!
when i did what you suggested I found that the single quotes were being removed prior to the mysql_query function so that the statement it was receiving was
... WHERE Status = Manager AND ReportsToID = 12345

so I found that this structure works great for keeping the single quotes intact.

$statement = "SELECT * FROM OrgChart WHERE Type = '{$criteria}' AND ReportsToID = '{$id}' ";

Im not sure why this works but it does. Anybody have an explanation?

thanks for your feedback

Anon

Maybe something to do with magic quotes.
Then again maybe not. Just a guess.