phpretard Posted July 28, 2008 Share Posted July 28, 2008 $Type=$_POST['Type']; $mainSearch=$_POST['mainSearch']; SELECT * FROM table WHERE City, State, ZipCode LIKE '$mainSearch%' AND $type='1' Why doesn't this work? It works without the -- , State, ZipCode -- so I know that' the problem. I just don't know the repair. Any help? Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/ Share on other sites More sharing options...
scarhand Posted July 28, 2008 Share Posted July 28, 2008 first off, what you have is extremely dangerous you MUST use mysql_real_escape_string for any $_POST values unless you have gone through lengths that ensures characters entered could not be malicious secondly, youre using 2 different variables. "$Type" is NOT the same as "$type". variables are case sensitive, that is why it is not working. Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601343 Share on other sites More sharing options...
phpretard Posted July 28, 2008 Author Share Posted July 28, 2008 Could you be a little more specific about the real escape string please and the proposed dangers? Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601354 Share on other sites More sharing options...
d.shankar Posted July 28, 2008 Share Posted July 28, 2008 About 99.9% of SQL Injection attacks can be averted by using this mysql_real_escape_string function. This is how you use it for the $_POST variables before sending it to your back-end. <?php $Type=$_POST['Type']; $mainSearch=$_POST['mainSearch']; $Type=mysql_real_escape_string($Type); $mainSearch=mysql_real_escape_string($mainSearch); //Perform your DB Operations here. ?> Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601365 Share on other sites More sharing options...
LemonInflux Posted July 28, 2008 Share Posted July 28, 2008 About 99.9% of SQL Injection attacks can be averted by using this mysql_real_escape_string function. This is how you use it for the $_POST variables before sending it to your back-end. <?php $Type=$_POST['Type']; $mainSearch=$_POST['mainSearch']; $Type=mysql_real_escape_string($Type); $mainSearch=mysql_real_escape_string($mainSearch); //Perform your DB Operations here. ?> Or, if you're a real line-counter : <?php $Type=mysql_real_escape_string($_POST['Type']); $mainSearch=mysql_real_escape_string($_POST['mainSearch']); //Perform your DB Operations here. ?> ---------------- Now playing: Enter Shikari - Adieu (Routron 5000 Remix) via FoxyTunes Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601508 Share on other sites More sharing options...
d.shankar Posted July 28, 2008 Share Posted July 28, 2008 Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601512 Share on other sites More sharing options...
Wolphie Posted July 28, 2008 Share Posted July 28, 2008 Try this: $query = sprintf("SELECT * FROM `table` WHERE `City`, `State`, `ZipCode` LIKE '%s' AND `%s` = '1'", mysql_real_escape_string('%'. $_POST['mainSearch'] .'%'), mysql_real_escape_string($_POST['Type']) ); $result = mysql_query($query) or trigger_error(mysql_error()); That's how I'd do it any way, assuming the value of $_POST['Type'] will be equal to the name of a field. Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601528 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.