aarbrouk Posted May 14, 2009 Share Posted May 14, 2009 Hello all, I need some help... I am trying to use the php function mysql_real_escape_string(). I have used it before it helped me prevent SQL injections. But at the moment I am having trouble using the function on my search feature. <?php //$_GET being the search input from user $searchget = mysql_real_escape_string ($_GET['Searchtext']); //sql query to find all products associated with search criteria $query = "SELECT * FROM product JOIN brand ON product.brandID=brand.BrandID JOIN style ON product.StyleID=style.StyleID WHERE product.ProductStatus = 'Active' AND brand.BrandStatus='Active' AND StyleStatus = 'Active' AND (ProductDescription like '%".$searchget."%' OR ProductTitle like '%".$searchget."%' OR BrandName like '%".$searchget."%')"; ?> Above is the code which I currently have and the SELECT query just does not work.... When i mean't it doesn't work, I mean that the query dies presumably because of a syntax error of some kind? Here is the query once printed when the code is run: SELECT * FROM product JOIN brand ON product.brandID=brand.BrandID JOIN style ON product.StyleID=style.StyleID WHERE product.ProductStatus = 'Active' AND brand.BrandStatus='Active' AND StyleStatus = 'Active' AND (ProductDescription like 'men\'s' OR ProductTitle like 'men\'s' OR BrandName like 'men\'s') ORDER BY brand.BrandName ASC LIMIT 0, 20 anyone have any ideas why it won't work? Thanks in advance for anyone's help. Link to comment https://forums.phpfreaks.com/topic/158108-help-with-mysql_real_escape_string/ Share on other sites More sharing options...
Mchl Posted May 14, 2009 Share Posted May 14, 2009 Display mysql_error to check what the error message is. Link to comment https://forums.phpfreaks.com/topic/158108-help-with-mysql_real_escape_string/#findComment-833985 Share on other sites More sharing options...
aarbrouk Posted May 14, 2009 Author Share Posted May 14, 2009 <?php $result = @mysql_query($query, $connection) or die ("Unable to perform query <br>".mysql_error()); echo $query; ?> This what I expect to happen once the previous code was run. When the code is run all that it displayed as an error is "Unable to perform query" followed by the query: <?php "SELECT * FROM product JOIN brand ON product.brandID=brand.BrandID JOIN style ON product.StyleID=style.StyleID WHERE product.ProductStatus = 'Active' AND brand.BrandStatus='Active' AND StyleStatus = 'Active' AND (ProductDescription like '%men\'s%' OR ProductTitle like '%men\'s%' OR BrandName like '%men\'s%') ORDER BY brand.BrandName ASC LIMIT 0, 20" ?> Link to comment https://forums.phpfreaks.com/topic/158108-help-with-mysql_real_escape_string/#findComment-833991 Share on other sites More sharing options...
aarbrouk Posted May 14, 2009 Author Share Posted May 14, 2009 The query works when "Mens" is entered and displays results as a result in a table... But when "Men's" is input the query is "Unable to perform query". I thought by putting mysql_real_escape_string(), would get rid of this problem of apostrophes. Link to comment https://forums.phpfreaks.com/topic/158108-help-with-mysql_real_escape_string/#findComment-834011 Share on other sites More sharing options...
aarbrouk Posted May 14, 2009 Author Share Posted May 14, 2009 Mchl, I've got it to now produce an error using mysql_error(), the error is as follows: Unable to perform query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's%' OR ProductTitle like '%men's%' OR BrandName like '%men's%' ORDER BY brand.Br' at line 1 Link to comment https://forums.phpfreaks.com/topic/158108-help-with-mysql_real_escape_string/#findComment-834016 Share on other sites More sharing options...
Mchl Posted May 14, 2009 Share Posted May 14, 2009 Apparently the data was not escaped... Do you have stripslashes function somewhere? Link to comment https://forums.phpfreaks.com/topic/158108-help-with-mysql_real_escape_string/#findComment-834018 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.