Jump to content

mysql_real_escape_string() small problem


robert_gsfame

Recommended Posts

How are  you trying to use LIKE?

 

Do you have "apple" and you want to match "apple" | "apples"? 

 

When you put LIKE '% %" you are going to match anything with a space in it.

 

When you match LIKE '%s' you will match anything ending in s.

 

What is it you want to match?

lol, I was reading it as 2 lines, I know what you are talking about. 

 

mysql_query(sprintf("SELECT * FROM table WHERE name LIKE '%%%s%%'",
mysql_real_escape_string($username);

 

2 % for every literal "%" in sprintf and one for the %s.

 

okay...this problem solve but what if i create a dynamic query for example

 

$a=$_GET['a'];

if(!empty($a)){

$a="AND name LIKE'%".$a."%'";}

 

and i wish this query to be execute using mysql_real_escape_string()

SELECT * FROM table1 WHERE column1='record1' $a

 

so that when $a not empty i will have this query

SELECT * FROM table1 WHERE column1='record1' AND name LIKE '%a%'

 

else

 

SELECT * FROM table1 WHERE column1='record1'

 

 

$a=stripslashes(mysql_real_escape_string($_GET['a']));                    //original example says a="apples"
$sqlLike=is_Null($a) ? " AND name LIKE '%$a%' : "";

$sql="SELECT * FROM table1 WHERE column1 = 'record1'".$sqlLike;

 

should set sql=

SELECT * FROM table1 WHERE column1 = 'record1' AND name LIKE '%apples%'

 

I believe if you mysql_real_escape it surrounds the value with ' and you need to stripslashes on it to get rid of them.  Depends on your installation though, safer to use it in this example.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.