I am working on a small library application. I have a bit of code in php that feeds a variable to an SQL routine. I want to move this bit of insecure PHP code to an SQL procedure.

right now the procedure looks like this:

 Delimiter ~~~

create procedure findwriter (in thread varchar(25))
begin
select books.title as title, 
concat(authors.efname,' ',authors.elname) as scribe
,books.book_id as id, Topics.topic as subject from books
 inner join bookswritten using(book_id) 
inner join authors using(writer_id)
inner join Topics using(Topic_id) where authors.elname like
 "thread%" group by books.title order by authors.elname,
 books.title;
end;

   ~~~
delimiter ;

when I feed in a name to the procedure, I get an error that it doesnt' recognize the string in my field list.

This incarnation worked well in PHP

Thanks