phpretard Posted July 28, 2008 Share Posted July 28, 2008 $Type=$_POST['Type']; $mainSearch=$_POST['mainSearch']; SELECT * FROM table WHERE City, State, ZipCode LIKE '$mainSearch%' AND $type='1' Why doesn't this work? It works without the -- , State, ZipCode -- so I know that' the problem. I just don't know the repair. Any help? Quote Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/ Share on other sites More sharing options...
scarhand Posted July 28, 2008 Share Posted July 28, 2008 first off, what you have is extremely dangerous you MUST use mysql_real_escape_string for any $_POST values unless you have gone through lengths that ensures characters entered could not be malicious secondly, youre using 2 different variables. "$Type" is NOT the same as "$type". variables are case sensitive, that is why it is not working. Quote Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601343 Share on other sites More sharing options...
phpretard Posted July 28, 2008 Author Share Posted July 28, 2008 Could you be a little more specific about the real escape string please and the proposed dangers? Quote Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601354 Share on other sites More sharing options...
d.shankar Posted July 28, 2008 Share Posted July 28, 2008 About 99.9% of SQL Injection attacks can be averted by using this mysql_real_escape_string function. This is how you use it for the $_POST variables before sending it to your back-end. <?php $Type=$_POST['Type']; $mainSearch=$_POST['mainSearch']; $Type=mysql_real_escape_string($Type); $mainSearch=mysql_real_escape_string($mainSearch); //Perform your DB Operations here. ?> Quote Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601365 Share on other sites More sharing options...
LemonInflux Posted July 28, 2008 Share Posted July 28, 2008 About 99.9% of SQL Injection attacks can be averted by using this mysql_real_escape_string function. This is how you use it for the $_POST variables before sending it to your back-end. <?php $Type=$_POST['Type']; $mainSearch=$_POST['mainSearch']; $Type=mysql_real_escape_string($Type); $mainSearch=mysql_real_escape_string($mainSearch); //Perform your DB Operations here. ?> Or, if you're a real line-counter : <?php $Type=mysql_real_escape_string($_POST['Type']); $mainSearch=mysql_real_escape_string($_POST['mainSearch']); //Perform your DB Operations here. ?> ---------------- Now playing: Enter Shikari - Adieu (Routron 5000 Remix) via FoxyTunes Quote Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601508 Share on other sites More sharing options...
d.shankar Posted July 28, 2008 Share Posted July 28, 2008 Quote Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601512 Share on other sites More sharing options...
Wolphie Posted July 28, 2008 Share Posted July 28, 2008 Try this: $query = sprintf("SELECT * FROM `table` WHERE `City`, `State`, `ZipCode` LIKE '%s' AND `%s` = '1'", mysql_real_escape_string('%'. $_POST['mainSearch'] .'%'), mysql_real_escape_string($_POST['Type']) ); $result = mysql_query($query) or trigger_error(mysql_error()); That's how I'd do it any way, assuming the value of $_POST['Type'] will be equal to the name of a field. Quote Link to comment https://forums.phpfreaks.com/topic/116939-db-query-help-please/#findComment-601528 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.