SELECT * FROM $ _POST [] - PHP mySQL格式

Need help formatting a mySQL query string. The following query returns "parse error, expecting T_STRING or T_VARIABLE"

PHP:

<?php


include 'db_connect.php';

mysql_select_db($databaseName, $con);

$query = "SELECT * FROM .$_POST['tab']. WHERE plant_code = .$_POST['plant_code']";

$result = mysql_query($query) or die (mysql_error());

$row = mysql_fetch_assoc($result);

echo json_encode($row);

?>

jQuery:

$('#profiles_desktops').click(function(){
                $.post("php/loadProfile.php", {plant_code : selectedSite, tab : "profiles_desktops"}, function(result){ (do something here...) });  });

DO NOT DO THAT! it's wide open to SQL injection attacks. For god sake, validate and escape your input.

at the very least, rewrite it to:

$query = "SELECT * FROM `".mysql_real_escape_string($_POST['tab'])."` WHERE plant_code = '".mysql_real_escape_string($_POST['plant_code'])."'";

Query should be:

"SELECT * FROM ".$_POST['tab']." WHERE plant_code =".$_POST['plant_code']

The periods (.) in your query are unnecessary because you didn't break the quotes. Either of these should work:

$query = "SELECT * FROM $_POST['tab'] WHERE plant_code = $_POST['plant_code']";

or

$query = "SELECT * FROM " . $_POST['tab'] . " WHERE plant_code = " . $_POST['plant_code'];

Edit: This is, of course, not addressing the giant injection security holes :]

Your concatenations in $query declaration are wrong.

$query = "SELECT * FROM " . $_POST['tab'] . "WHERE plant_code = '" . mysql_real_escape_string($_POST['plant_code']) . "'";

would suffice.

Should be:

$query = "SELECT * FROM ".$_POST['tab']." WHERE plant_code = ".$_POST['plant_code'];

needed to have the php variable surrounded by double quotes (and leave the last one off, since you are ending with a variable, or instead of double quotes, leave out the dots because PHP will see it's variables and convert them to the values before the query runs. Also, sql doesn't like bracketed array variables for some reason. Try putting all your values in variables which is also much nicer to read:

$tab = $_POST['tab'];
$plant = $_POST['plant_code'];
$query = "SELECT * FROM ".$tab." WHERE plant_code = ".$plant;