I am trying to put the PHP variable
$EventID
directly into a query statement. I tried to do it using a , as a break like you would in an echo statement but that doesn't work. How do you do this?
$EventID = $_GET['id'];
//I took the $serverName variable out for obvious reasons
$connectionOptions = array("Database"=>"Seminars", "UID"=>"sa","PWD"=>"scr0gg1ns");
$conn = sqlsrv_connect( $serverName, $connectionOptions);
$query = "SELECT * FROM Event where EventID =", $EventID;
$stmt1 = sqlsrv_query( $conn, $query);
Your query should be like as below:
$query = "SELECT * FROM Event where EventID =".$EventID;
First of all, I highly recommend using PDO to query your database. The "Prepared Statements" section of the tutorial will also answer your question.
If you think that is too advanced and just want to trying something simple now, you can simply do the following:
$query = "SELECT * FROM Event where EventID = '$EventID'";
Simply you need to add the $EventID string. for this php use . like the code below
$EventID = $_GET['id'];
//I took the $serverName variable out for obvious reasons
$connectionOptions = array("Database"=>"Seminars", "UID"=>"sa","PWD"=>"scr0gg1ns");
$conn = sqlsrv_connect( $serverName, $connectionOptions);
$query = "SELECT * FROM Event where EventID =" . $EventID;
$stmt1 = sqlsrv_query( $conn, $query);
You should be sanitise your variable before using it into request to prevent sql injection
$query = "SELECT * FROM Event where EventID ='$EventID'";
You can do it as follows:
$query = "SELECT * FROM Event where EventID = {$EventID}";
However, this means that hackers can easily use SQL injection on your site so you should not do this. Use prepared statements instead with either PDO or mysqli.