How to put a variable in a MySQL query

How to insert a variable instead of Bukharov’s word?

      $result = mysql_query("SELECT name, surname, class_str, class_int FROM datacenter WHERE surname = ''");
          while ($row = mysql_fetch_array($result))
      {
     echo $row[0];
echo $row[1];
echo $row[2];
echo $row[3];
   }

Answer 1, authority 100%

$surname = "";
$result = mysql_query("SELECT name, surname, class_str, class_int FROM datacenter WHERE surname = '$surname'");

Answer 2, authority 25%

either with or without ‘$foo’, it doesn’t matter

$result = mysql_query(“SELECT name, surname, class_str, class_int FROM datacenter WHERE surname = $foo”);


Answer 3

At the expense of variable substitution, do it right IMMEDIATELY, which means that the variable must be properly filtered before setting it (this applies if you substitute a variable from all sorts of POST and GET requests)
I personally use php placeholder
example

$query = sql_placeholder('select * from users where email=? and password=? limit 1', $_POST['email'], $_POST['pass']);

It’s quite convenient if that’s it: http://dklab.ru/chicken/nablas/demo/ placeholder/Placeholder.php