I have a form set up with a dropdown list of values for a field "manufacturer" in my database

I can pass the variable to my php script. I know this because I use:

$manufacturer = $_POST['manufacturer'];

echo "<h1> Query result for manufacturer = ","$manufacturer", "</h1>";

And the page prints the appropriate value chosen from the form.
I'm trying to use the $manufacturer variable in a mysql query to select records which match.

My mysql query works when I use the following code:

$result = mysql_query("SELECT * FROM serialtest WHERE manufacturer = 'Yamaha'") or die(mysql_error());

but not when I add the $_POST[manufacturer] value in place of 'Yamaha' T
he error I get is: "Unknown column 'Yamaha' in 'where clause'"
Is it my syntax?


Many thanks for any help you can give.
Mark

You probably wrote:

$result = mysql_query("SELECT * FROM serialtest WHERE manufacturer = ".$manufacturer) or die(mysql_error());

which removes the quotes around the entry, so try something like this:


$result = mysql_query("SELECT * FROM serialtest WHERE manufacturer = '".$manufacturer."'") or die(mysql_error());

Please note that you have not sanitized this user input against SQL injection in the code you've given us.

This worked for me, thanks for the post.

$result = mysql_query("SELECT * FROM serialtest WHERE manufacturer = ('$_POST[serialnumber]')") or die(mysql_error());

That query is subject to SQL injection. You should look into protecting your data. I've written something up at www.programmerstalk.net/thread722.html .

I'm off on vacation starting tomorrow, so I won't be able to follow up for a week.