On this line:
$sql= 'SELECT url_imgsrch FROM p_url_imgsrch where 'word_id'='[$wid]' ORDER BY RAND() LIMIT 5';
Notice specifically how Stack Overflow's syntax highlighter treats it, especially around the term word_id
. What you're doing with those single-quotes is terminating the PHP string and then throwing in an unknown term, word_id
. PHP doesn't know what to do with this, so it gives the error you're seeing.
Is there a reason you're using single-quotes around the term word_id
? Should it be a string in the SQL statement? I'm guessing it shouldn't. You should be able to just reference the column in the table directly in the query. Something like this:
$sql= 'SELECT url_imgsrch FROM p_url_imgsrch where word_id='[$wid]' ORDER BY RAND() LIMIT 5';
Note that the PHP syntax parsing is completely separate from the SQL syntax parsing. All you're doing in this code is building a string to send to the database. The database will, afterward, parse that string as SQL code. So mixing PHP and SQL should be done with care so as to not produce invalid SQL, or you'll get more errors even though your PHP code is fine. (You should also, as noted in a comment on the question and in other answers, look into things like SQL Injection Attacks and learn how to further protect your code. The code may work, but it may at the same time present glaring security holes. See the rest of this answer, and other answers, for more details on this. It is important.)
Quick question, and maybe this is just syntax with which I'm not immediately familiar... why are there square brackets around the $wid
variable in that statement? I'm more familiar with MSSQL than with MySQL, and in the former square brackets signify a database object (not a variable, such as a string to match against a database object), which doesn't seem to be what you want here. It's likely you actually mean this:
$sql= "SELECT url_imgsrch FROM p_url_imgsrch where word_id='$wid' ORDER BY RAND() LIMIT 5";
Note two differences:
- Got rid of the square brackets.
- Changed the first and last quotes of the line from single quotes to double quotes. Both single quotes and double quotes can be used to denote strings in PHP. In this particular case, the double quotes are useful because they allow you to include single quotes within the string itself (without having to be escaped, which would make it more difficult to read).
Finally, and as others have also pointed out, this code needs to be protected against SQL injection attacks. The most immediate and apparent way to do this is with mysql_real_escape_string()
, more information here. What this function essentially does is convert a string into a more SQL-safe string by escaping control characters and such. You'd wrap any and all input strings with this before adding them to the SQL string:
$wid = mysql_real_escape_string($wid);
$sql= "SELECT url_imgsrch FROM p_url_imgsrch where word_id='$wid' ORDER BY RAND() LIMIT 5";
You can also consider taking further steps to reduce your SQL vulnerabilities, as well as potentially result in cleaner code. Consider looking into PHP Data Objects to represent your database interactions instead of just building SQL strings directly in code.