"Dimitri Marshall" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> "Sophie Mattoug" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > Paul Duggan wrote:
> >
> > >if I create a text box:
> > >
> > ><body>
> > >
> > ><form action="nextpage.html" method="GET" name="myform">
> > >
> > > <input type="Text" name="surname" align="TOP" size="25"><br>
> > >
> > > <input type="Submit" value="Submit" align="MIDDLE">
> > >
> > ></form>
> > >
> > >
> > >how do I go about extracting a surname from a mysql database?
> > >
> > >
> > >
> > >will it be something along the lines?
> > >
> > >select firstname,surname
> > >from employees
> > >where surname = textbox.surname;
> > >
> > >
> >
> > "SELECT firstname, surname FROM employees WHERE surname =
> > '{$_GET['surname']}'"
>
> You might also want to do it this way...
>
> "SELECT firstname, surname FROM employees WHERE surname =
> \"{$_GET['surname']}\""
>
> Just in case their name is something like O'Neil, it won't interfere with
> your script.
>

An even better way is this

//process the surname, add slashes
$surname = addslashes($_GET['surname']);

//make the query
$sqlquery = "SELECT firstname, surname FROM employees WHERE surname =
'$surname'";

This makes sure that if there is signs like " or ', they will be escaped ;-)

> Good luck,
> Dimitri Marshall
>
> >
> > >
> > >new to this so im trying to get my head around it, basically i just
want
> to
> > >search a mysql database by someones surname.
> > >
> > >cheers!
> > >
> > >
> > >
> > >


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to