yozza84 Posted April 10, 2008 Share Posted April 10, 2008 Hello, i havent been able to find any code on the tinterweb that works (you wouldnt believe how many we tried) the example from php.net is the one below $query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '$stext' ", this results in Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's'' at line 1 Whole query: SELECT Name,Phone FROM `main` WHERE Town LIKE 'Name0r Name LIKE 's' The NameOr bit i cannot understand we have tried various things like "%.$stext.%" and many more all the way to $query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE ('".%replace("'","''",$stext%)."') or Name LIKE '".replace("'","''",$stext)."' " which doesnt work either. this was suggested by my cousin in Australia who told me i was vulnerable to injection attacks. Please any help would be greatly appreciated Quote Link to comment Share on other sites More sharing options...
Cosizzle Posted April 10, 2008 Share Posted April 10, 2008 Look at your closing bracket. $query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '$stext' ", Try $query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%' OR Name LIKE '$stext'"); I just tested this against a database I had and it worked fine. mysql> SELECT fname,lname FROM individual WHERE lname LIKE '%y' OR fname LIKE 'Frank'; +---------+---------+ | fname | lname | +---------+---------+ | James | Hadley | | Susan | Tingley | | Frank | Tucker | | Richard | Farley | +---------+---------+ 4 rows in set (0.00 sec) RETURN: Quote Link to comment Share on other sites More sharing options...
rhodesa Posted April 10, 2008 Share Posted April 10, 2008 Why are you using sprintf? Just do: $stext = mysql_real_escape_string($stext); //Stop injection $query = "SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '%$stext%'"; Quote Link to comment Share on other sites More sharing options...
yozza84 Posted April 11, 2008 Author Share Posted April 11, 2008 ok heres the full code that was my mistake $query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '$stext' ", mysql_real_escape_string($Name), mysql_real_escape_string($Phone)); there is the close bracket the problem i have is with the wild card, this query works fine without the % sign but when i add it, it comes up like nvalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's'' at line 1 Whole query: SELECT Name,Phone FROM `main` WHERE Town LIKE 'Name0r Name LIKE 's' if u check where the wildcard is meant to be it says 'Name0r i cant figure this out Quote Link to comment Share on other sites More sharing options...
rhodesa Posted April 11, 2008 Share Posted April 11, 2008 A couple problems: First, you have a random right parenthesis before 'or Name'...get rid of that. Second, the code makes no sense. sprintf() is used to substitute values in by using the placeholder %s. Is what you are searching for $stext? I think you are looking for something along these lines: $query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%%%s%%') OR Name LIKE '%%%s%%' ", mysql_real_escape_string($stext), mysql_real_escape_string($stext)); After that line, put: print $query;exit; and make sure the query looks like you want it to look If you describe what you are trying to do in more detail, describing what the values of $stext, $Name, and $Phone and what you are trying to do with them, or just post more of the code for the script, I can try and help you more. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.