Problem using mysql_real_escape_string

[forumnz]

I have an AJAX script which queries a DB when a user inputs a search text. That's great, works well.

 

However, when I use mysql_real_escape_string, it seems to completely rid the '$q'. When I don't use it, it works well but of course, there's the security side of things.

 

Here's the code snippet:

 

<?php
error_reporting(E_ALL);
$q = $_GET["q"];//added mysql_real_escape_string
//$q = mysql_real_escape_string('$_GET["q"]');

$con = mysql_connect("localhost","aaaaa","aaaaa");

if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("aaaaa", $con);

$sql="SELECT * FROM articles WHERE keywords LIKE '%$q%'";
?>

 

It seems so simple, but its just not working. What could it be?

[QuickOldCar]

Use it like this

 

$q=mysql_real_escape_string($_GET['q']);

[forumnz]

Thanks but it just selects everything. As if $q is empty.

 

I know for a fact that it shouldn't select most of the rows it does.

 

What else could it be?

[Pikachu2000]

Connect to the database before using mysql_real_escape_string(), then try it again.

[forumnz]

Very nice. Works now

 

Thank you!

[Pikachu2000]

Hold on a minute. Look at your query.

SELECT * FROM articles WHERE keywords LIKE '%$q%'

That query says "SELECT all fields FROM table WHERE keywords [contains the value in $q anywhere, regardless of its position in the string]"

 

Is that what you mean for it to say?