Quick mysql_query() question

I have the following code:

mysql_query("SELECT * FROM list WHERE name LIKE '%'$searchTerm'%' OR description LIKE '%'$searchTerm'%';");

The only problem is, in pure SQL, such a query woul开发者_运维问答d look like:

SELECT * FROM list WHERE name LIKE '%asdf%' OR description LIKE '%asdf%'

What I'm confused about is how to put my variables into the string properly, normally a variable in a mysql_query would be surrounded by single quotes, but the addition of the single quotes in the SQL itself is confusing me.

I tried concatenating with . but I don't think that's a good solution.

mysql_query("SELECT * FROM list WHERE name LIKE '%$searchTerm%' OR description LIKE '%$searchTerm%';");

Why won't you just...

echo "SELECT * FROM list WHERE name LIKE '%$searchTerm%' OR description LIKE '%$searchTerm%';"

...and see how the query actually will look like..

I don't know PHP, but I suggest to use a replace function to manage the character "'" into $searchterm. This also allow to avoid sql injections..

This is the clearest way to me, using "." to concatenate:

mysql_query("SELECT * FROM list WHERE name LIKE '%".$searchTerm."%' OR description LIKE '%".$searchTerm."%'");

Try and use that, it should work on what you're trying :)