In a PHP application I am trying to the users information from the table like below
session_start();
$sql = "SELECT * FROM users WHERE company_id = $_SESSION[‘companyId’]";
$result = $connect->query($sql);
but query statement in bold throws syntax error.
syntax error, unexpected string content "", expecting "-" or identifier or variable or number
Am I missing something?
2
Answers
Try this :
There are several ways to do this.
First of all, you can’t embed complex expressions in a string that way. You can use braces:
Or concatenation:
More importantly, writing a query like that leaves you open to SQL injection. This is a very dangerous way to write queries.
What you should do is use prepared statements to bind the parameters to your query, like this: