A few thoughts:
- You may want to add single quotes inside the query as some text could have spaces or special characters and SQL loves boundaries. If you don't like the double quotes around it, it still should work fine, but it's become a habit for me.
Possible code:
// get a product from products table
$result = mysql_query("SELECT *FROM Location WHERE locationName = '".$locationName."'");
- When you stored your data in the database, did you account for escaped characters (i.e. did you use mysql_real_escape_string() to add slashes to the data as it was inserted to prevent injection attacks or faulty data.). If so you may want to use the same function to verify the data and they use stripslashes() function to return "normalized" data to insert into your response.
Data example within the database: that/'s what i/'m talkin/' abuot /"fella/'/"!
Possible code:
$locationName = mysql_real_escape_String($_GET['locationName']);
and
$product["locationName"] = stripslashes($row["locationName"]);
- You can add error checking and/or display messages to help troubleshoot
INline errors display for mysql queries: (This will stop the page on an error and display the MySQL returned message)
$result = mysql_query("SELECT *FROM Location WHERE locationName = $locationName") or die(mysql_error());
general error reporting in PHP: (this one is a bit verbose and displays warnings too)
// Same as error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
Verbose output Sometimes I add verbose messages within a page so i can validate the queries i submit and either remove or comment them out after the script is tested.
$locationQuery= mysql_query("SELECT *FROM Location WHERE locationName = '".$locationName."'");
echo "Current Query: ".$locationQuery."<br>\n";
$result = mysql_query($locationQuery) or die(mysql_error());