[SOLVED]sql error ?

it might looks like a plain mysql error for most you, but still I don’t know why am getting this error

Error in querying SQL: SELECT * FROM wsmembers WHERE EmailConfirmed = 0 

AND WSEmailAddress =test.md5@gmail.com

in C:\xampp\htdocs\yii\myapp\protected\controllers\WsmembersController.php

(256)

in C:\xampp\htdocs\yii\myapp\index.php (13)

	public function actionActivate()

	{

	

		$email = Yii::app()->request->getQuery('email');

		$model = new Wsmembers();

//		$criteria = new CDbCriteria;

//		$criteria->select = 'EmailAddress';

//		$criteria->condition = 'EmailConfirmed=:value';

//		$criteria->params = array(':value' => 0);

//		$criteria->condition = "EmailAddress =".$email;

//		$result = Wsmembers::model()->find($criteria);


		$connection = Yii::app()->db;

		$sql = "SELECT * FROM wsmembers WHERE EmailConfirmed = 0  AND EmailAddress =".$email;

		$command = $connection->createCommand($sql);

		$result = $command->query();

		

			if($result != null)

			{

				#$model->find($criteria);

				$model->EmailConfirmed = '1';

				$model->MembershipDateConfirmed = new CDbExpression('NOW()');

				$model->save();

			}

	}

}

I did every possible quote/double quoting variations in that sql command that i know that should have worked

but still am getting that sql error, i don’t know what’s wrong with it

Your problem is that the email is not quoted.

Try with this condition:

$criteria->condition = 'EmailConfirmed=0';

$criteria->condition = "EmailAddress =:email";

$criteria->params = array(':email' => $_GET['email']);

The params should be correctly quoted.

An alternative valid quotation can be:

 $sql = "SELECT * FROM wsmembers WHERE EmailConfirmed = 0  AND EmailAddress ='$email'";

But you should prepare $email with addslashes, on order to avoid sql injection.

In a word is better to use params.

i have reached my quota of positive votes for the day…but thanks alot for this