Error: mysql_fetch_assoc within function

2
function retornaStatusPesquisa($numeroStatus,$nomePessoa, $nomeTabela){
    $query = mysql_query("SELECT COUNT(status) AS valorStatus FROM $nomeTabela WHERE status=$numeroStatus AND nomePessoa='$nomePessoa'");
    $contador=mysql_fetch_assoc($query);
    return $contador;
}

I'm getting this error:

  

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE status = 1 AND namePerson =' Joao '' at line 1

It's probably because of $nomeTabela , I do not know for what reasons this happens, could you give a light?

    
asked by anonymous 30.06.2015 / 00:38

1 answer

3

There is a possibility that you or someone else may be passing $nomePessoa with a single quotation mark, example João' , and this ends up breaking the logic of its concatenation of parameters besides opening security holes.

Prefer to pass the parameters through bindValue , more information here: #

Another source that may help you change your project to PDO: link

    
30.06.2015 / 00:46