Jump to content

DB Query Help Please

phpretard

By phpretard
in PHP Coding Help

 Share

Recommended Posts

phpretard Advanced Member

phpretard

Posted
Posted

$Type=$_POST['Type'];

$mainSearch=$_POST['mainSearch'];

 

SELECT * FROM table WHERE City, State, ZipCode LIKE '$mainSearch%' AND $type='1'

 

Why doesn't this work?

 

It works without the -- , State, ZipCode -- so I know that' the problem.

 

I just don't know the repair.

 

Any help?

Link to comment
Share on other sites
scarhand Advanced Member

scarhand

Posted
Posted

first off, what you have is extremely dangerous

 

you MUST use mysql_real_escape_string for any $_POST values unless you have gone through lengths that ensures characters entered could not be malicious

 

secondly, youre using 2 different variables. "$Type" is NOT the same as "$type". variables are case sensitive, that is why it is not working.

Link to comment
Share on other sites
d.shankar Regular Member

d.shankar

Posted
Posted 
About 99.9% of SQL Injection attacks can be averted by using this mysql_real_escape_string function.
This is how you use it for the $_POST variables before sending it to your back-end.

<?php
$Type=$_POST['Type'];
$mainSearch=$_POST['mainSearch'];

$Type=mysql_real_escape_string($Type);
$mainSearch=mysql_real_escape_string($mainSearch);

//Perform your DB Operations here.
?>

Link to comment
Share on other sites
LemonInflux Advanced Member

LemonInflux

Posted
Posted 

About 99.9% of SQL Injection attacks can be averted by using this mysql_real_escape_string function.
This is how you use it for the $_POST variables before sending it to your back-end.

<?php
$Type=$_POST['Type'];
$mainSearch=$_POST['mainSearch'];

$Type=mysql_real_escape_string($Type);
$mainSearch=mysql_real_escape_string($mainSearch);

//Perform your DB Operations here.
?>

 

Or, if you're a real line-counter :P:

 

<?php
$Type=mysql_real_escape_string($_POST['Type']);
$mainSearch=mysql_real_escape_string($_POST['mainSearch']);

//Perform your DB Operations here.
?>

 

----------------

Now playing: Enter Shikari - Adieu (Routron 5000 Remix)

via FoxyTunes

Link to comment
Share on other sites
Wolphie Member

Wolphie

Posted
Posted

Try this:

 

$query = sprintf("SELECT * FROM `table` WHERE `City`, `State`, `ZipCode` LIKE '%s' AND `%s` = '1'", 
  mysql_real_escape_string('%'. $_POST['mainSearch'] .'%'),
  mysql_real_escape_string($_POST['Type'])
);
$result = mysql_query($query) or trigger_error(mysql_error());

 

That's how I'd do it any way, assuming the value of $_POST['Type'] will be equal to the name of a field.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.