% Does not work in php mysql code, can't find anywhere please help

[yozza84]

Hello,

 

i havent been able to find any code on the tinterweb that works (you wouldnt believe how many we tried) the example from php.net is the one below

 

$query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '$stext' ",

 

this results in

 

Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's'' at line 1 Whole query: SELECT Name,Phone FROM `main` WHERE Town LIKE 'Name0r Name LIKE 's'

 

The NameOr bit i cannot understand

 

we have tried various things like "%.$stext.%" and many more all the way to

 

$query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE

('".%replace("'","''",$stext%)."') or Name LIKE

'".replace("'","''",$stext)."' "

 

which doesnt work either. this was suggested by my cousin in Australia who told me i was vulnerable to injection attacks.

 

Please any help would be greatly appreciated 

[Cosizzle]

Look at your closing bracket.

 

$query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '$stext' ",

 

Try

 

$query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%' OR Name LIKE '$stext'");

 

 

I just tested this against a database I had and it worked fine.

mysql> SELECT fname,lname FROM individual WHERE lname LIKE '%y' OR fname LIKE 'Frank';
+---------+---------+
| fname   | lname   |
+---------+---------+
| James   | Hadley  | 
| Susan   | Tingley | 
| Frank   | Tucker  | 
| Richard | Farley  | 
+---------+---------+
4 rows in set (0.00 sec)

RETURN:

[rhodesa]

Why are you using sprintf? Just do:

 

$stext = mysql_real_escape_string($stext); //Stop injection
$query = "SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '%$stext%'";

[yozza84]

ok heres the full code

 

that was my mistake

 

$query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%$stext%') or Name LIKE '$stext' ",

    mysql_real_escape_string($Name),

    mysql_real_escape_string($Phone));

 

there is the close bracket

 

the problem i have is with the wild card, this query works fine without the % sign but when i add it, it comes up like

 

nvalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's'' at line 1 Whole query: SELECT Name,Phone FROM `main` WHERE Town LIKE 'Name0r Name LIKE 's'

 

if u check where the wildcard is meant to be it says 'Name0r

 

i cant figure this out

[rhodesa]

A couple problems:

 

First, you have a random right parenthesis before 'or Name'...get rid of that.

 

Second, the code makes no sense. sprintf() is used to substitute values in by using the placeholder %s. Is what you are searching for $stext? I think you are looking for something along these lines:

  $query = sprintf("SELECT Name,Phone FROM `main` WHERE Town LIKE '%%%s%%') OR Name LIKE '%%%s%%' ",
    mysql_real_escape_string($stext),
    mysql_real_escape_string($stext));

 

After that line, put:

print $query;exit;

and make sure the query looks like you want it to look

 

If you describe what you are trying to do in more detail, describing what the values of $stext, $Name, and $Phone and what you are trying to do with them, or just post more of the code for the script, I can try and help you more.