开发者

What's wrong in this simple PHP SQL sentence?

问答 作者:

i want to recober all the users with "blo" in their full name, for example: "Pablo"

I pass the "blo" parameter with user PHP parameter:

$q=mysql_query("select * From user Where fullName Like '%'".$_REQUEST['user']."'%'",$link );

something is wrong in the php SQL sentence, because when i try the sentence with the argument "blo" on my SQL database, i see that the SQL sentence is correct, because it returns me correct result, this is the sentence开发者_开发知识库 with the argument "blo" on it: select * From user Where fullName Like "%blo%"

i'm sure that the PHP is receiven the "blo" parameter correctly, then, it have to be a sintax error of the SQL sentence on the PHP.... but i can't find it

EDIT : OK!! the last sentence is solved, but now i have this new sentence with the same problem, it have a error but i dont know where

$query = sprintf("SELECT u.* 
                    FROM USER u
                   WHERE u.fullName LIKE '%%%s%%' AND email NOT IN (select pp.fk_email2 from permission pp where pp.fk_email1='".mysql_escape($_REQUEST['mymail'])."') AND email NOT LIKE  '".mysql_escape($_REQUEST['mymail'])."' ",
                  mysql_real_escape_string($_REQUEST['user']));

SQL requires single quotes to indicate a string for comparison, and the wildcard character (%) must be included inside of those single quotes. Double quotes are used for column and table aliasing only, if at all.

$query = sprintf("SELECT u.* 
                    FROM USER u
                   WHERE u.fullName LIKE '%%%s%%'",
                  mysql_real_escape_string($_REQUEST['user']));

$q = mysql_query($query, $link);

Secondly, you're leaving yourself open to a SQL injection attack by not sanitizing the user request variable. Always use mysql_real_escape_string when dealing with strings being submitted to a MySQL database.

You have the quotes messed up. use this:

$q=mysql_query('SELECT * 
                FROM user
                WHERE fullName LIKE "%' . $_REQUEST['user'] . '%"',$link );

BTW, this is bad practice. You are using un-escaped input in your query and are open to SQL injection.

It looks like your quotes are off.. try something like...

$q=mysql_query("select * From user Where fullName Like '%".$_REQUEST['user']."%'",$link);

Also, you will want to make sure that the incoming param is sql-escaped to prevent sql injection. I don't know php, but it's probably something similar to...

$q=mysql_query("select * From user Where fullName Like '%".mysql_escape($_REQUEST['user'])."%'",$link);

I think it must be ... Where fullname like '%" . $_REQUEST['user']."%'"... with the % symbol inside the simple quotes.

@AndroidUser99: Change the query to --

$q = mysql_query("select * from user Where fullName like '%" . $_REQUEST['user'] . "%'", $link);

Update

I think we may need more code since none of the answers seem to be 'working'. Is the database link even being instantiated in $link? If there are errors what are they?

继续阅读:mysql-error-1064phpsql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9