$query = sprintf( 'SELECT %s FROM hostess', $username);
-or, if that's a string value, I suspect you may want to include that in single quotes in the query text -
$query = sprintf( "SELECT '%s' FROM hostess", $username);
NOTE: The generated SQL statement looks a bit odd, in that its going to return the same literal value for every row in the hostess table. If there's a hundred rows in the hostess table, you are going to return 100 rows with the same literal value. This may be what you want, but it strikes me as VERY odd.
NOTE: The sprintf function looks for %s, %d, etc. placeholders in the first argument, and replaces them with values from the remaining arguments.)
NOTE: If $username
contains a value coming in from a form, and has not been validated, to thwart SQL injection attacks, I would use the (admittedly old school) mysql_real_escape_string
function. (Others will offer suggestions for better, more modern techniques to accomplish the same result.)
$query = sprintf("SELECT '%s' FROM hostess",mysql_real_escape_string($username));