Variable contains numbers spaces and text.

I have a variable called $selectteam which is posted from a html form
and contains the value 'Team Alpha 1st Line'

My code for getting this variable is as follows:
$selectteam = $_POST['selectteam']

When i come to query my database with the following code:
$link = "SELECT * FROM tbl_call_data WHERE and Team1=$selectteam"

I get this error:
Incorrect syntax near 'Alpha'

This looks to me like it doesnt like the space so i found urlencode
which nearly did it:
$selectteam = urlencode($_POST['selectteam'])

I now get:
Incorrect syntax near 'st'

This looks to me like it doesnt like the 1, any help getting round
this would be greatfully received.

I cannot remove the spaces as the database it rights this info to must
remain in the same format for other dependancies (the database wasnt
created by me).

Many Thanks

Re: Variable contains numbers spaces and text.

..oO(screechyboy@googlemail.com)

>I have a variable called $selectteam which is posted from a html form
>and contains the value 'Team Alpha 1st Line'
>
>My code for getting this variable is as follows:
>$selectteam = $_POST['selectteam']
>
>When i come to query my database with the following code:
>$link = "SELECT * FROM tbl_call_data WHERE and Team1=$selectteam"
>
>I get this error:
>Incorrect syntax near 'Alpha'
>
>This looks to me like it doesnt like the space so i found urlencode
>which nearly did it:
>$selectteam = urlencode($_POST['selectteam'])

Wrong solution. MySQL just doesn't like your unquoted string value. You
also want to use mysql_real_escape_string() before you send the data to
the DB to prevent SQL injection:

$selectteam = mysql_real_escape_string($_POST['selectteam']);
$link = "SELECT * FROM tbl_call_data WHERE and Team1='$selectteam'";

Notice the single quotes around $selectteam in the query.

HTH
Micha

Re: Variable contains numbers spaces and text.

On 4 Apr, 11:26, Michael Fesser wrote:
> .oO(screechy...@googlemail.com)
>
> >I have a variable called $selectteam which is posted from a html form
> >and contains the value 'Team Alpha 1st Line'
>
> >My code for getting this variable is as follows:
> >$selectteam = $_POST['selectteam']
>
> >When i come to query my database with the following code:
> >$link = "SELECT * FROM tbl_call_data WHERE and Team1=$selectteam"
>
> >I get this error:
> >Incorrect syntax near 'Alpha'
>
> >This looks to me like it doesnt like the space so i found urlencode
> >which nearly did it:
> >$selectteam = urlencode($_POST['selectteam'])
>
> Wrong solution. MySQL just doesn't like your unquoted string value. You
> also want to use mysql_real_escape_string() before you send the data to
> the DB to prevent SQL injection:
>
> $selectteam = mysql_real_escape_string($_POST['selectteam']);
> $link = "SELECT * FROM tbl_call_data WHERE and Team1='$selectteam'";
>
> Notice the single quotes around $selectteam in the query.
>
> HTH
> Micha

Awesome works a treat thank you