Dian Posted March 8, 2015 Share Posted March 8, 2015 help me, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''%jateng%' WHERE (`kabupaten` LIKE '%demak%') OR (`kecamatan` LIKE ' at line 1" <?php $query = $_GET['query']; $select = $_GET['select']; // gets value sent over search form $min_length = 3; // you can set minimum length of the query if you want if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then $query = htmlspecialchars($query); // changes characters used in html to their equivalents, for example: < to > $query = mysql_real_escape_string($query); // makes sure nobody uses SQL injection $raw_results = mysql_query("SELECT * FROM '%".$select."%' WHERE (`kabupaten` LIKE '%".$query."%') OR (`kecamatan` LIKE '%".$query."%')") or die(mysql_error()); // * means that it selects all fields, you can also write: `id`, `title`, `text` // articles is the name of our table // '%$query%' is what we're looking for, % means anything, for example if $query is Hello // it will match "hello", "Hello man", "gogohello", if you want exact match use `title`='$query' // or if you want to match just full word so "gogohello" is out use '% $query %' ...OR ... '$query %' ... OR ... '% $query' if(mysql_num_rows($raw_results) > 0){ // if one or more rows are returned do following while($results = mysql_fetch_array($raw_results)){ // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop echo "<tr><td>".$results['provinsi']."</td>" ."<td>".$results['kabupaten']."</td>" ."<td>".$results['kecamatan']."</td>" ."<td>".$results['desa']."</td>" ."<td>".$results['kodepos']."</tr>"; // posts results gotten from database(title and text) you can also show id ($results['id']) } } else{ // if there is no matching rows do following echo "No results"; } } else{ // if query length is less than minimum echo "Minimum length is ".$min_length; } ?> Quote Link to comment Share on other sites More sharing options...
fastsol Posted March 9, 2015 Share Posted March 9, 2015 This '%".$select."%' Should be this `".$select."` But you also need to use mysql_real_escape_string on the $_GET['select'] too. Plus you should really start converting this to PDO instead, mysql functions are highly outdated and will be removed in upcoming php versions. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted March 9, 2015 Share Posted March 9, 2015 if you are dynamically supplying the table name from user input, you must validate that it is exactly and only a permitted table name. no amount of escaping the table name, as through it is a piece of string data (it's not) will prevent sql injection in it, since it's not in the query in between single-quotes that you are trying to prevent it from escaping out of. supplying a dynamic table name also implies that you have created a bunch of different tables, one for each different $select value, where as you should have one table with a column that holds the $select value. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.