Jump to content

Recommended Posts

help me,

 

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''%jateng%' WHERE (`kabupaten` LIKE '%demak%') OR (`kecamatan` LIKE ' at line 1"

<?php
    $query = $_GET['query'];
	$select = $_GET['select'];
    // gets value sent over search form
     
    $min_length = 3;
    // you can set minimum length of the query if you want
     
    if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then
         
        $query = htmlspecialchars($query);
        // changes characters used in html to their equivalents, for example: < to >
         
        $query = mysql_real_escape_string($query);
        // makes sure nobody uses SQL injection
         
        $raw_results = mysql_query("SELECT * FROM '%".$select."%'
            WHERE (`kabupaten` LIKE '%".$query."%') OR (`kecamatan` LIKE '%".$query."%')") or die(mysql_error());
             
        // * means that it selects all fields, you can also write: `id`, `title`, `text`
        // articles is the name of our table
         
        // '%$query%' is what we're looking for, % means anything, for example if $query is Hello
        // it will match "hello", "Hello man", "gogohello", if you want exact match use `title`='$query'
        // or if you want to match just full word so "gogohello" is out use '% $query %' ...OR ... '$query %' ... OR ... '% $query'
         
        if(mysql_num_rows($raw_results) > 0){ // if one or more rows are returned do following
             
            while($results = mysql_fetch_array($raw_results)){
            // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop
             
                echo 
					"<tr><td>".$results['provinsi']."</td>"
					."<td>".$results['kabupaten']."</td>"
					."<td>".$results['kecamatan']."</td>"
					."<td>".$results['desa']."</td>"
					."<td>".$results['kodepos']."</tr>";
                // posts results gotten from database(title and text) you can also show id ($results['id'])
            }
             
        }
        else{ // if there is no matching rows do following
            echo "No results";
        }
         
    }
    else{ // if query length is less than minimum
        echo "Minimum length is ".$min_length;
    }
?>
Link to comment
https://forums.phpfreaks.com/topic/295183-search-box-with-select-options/
Share on other sites

This

'%".$select."%'

Should be this

`".$select."`

But you also need to use mysql_real_escape_string on the $_GET['select'] too.  Plus you should really start converting this to PDO instead, mysql functions are highly outdated and will be removed in upcoming php versions.

if you are dynamically supplying the table name from user input, you must validate that it is exactly and only a permitted table name.

 

no amount of escaping the table name, as through it is a piece of string data (it's not) will prevent sql injection in it, since it's not in the query in between single-quotes that you are trying to prevent it from escaping out of.

 

supplying a dynamic table name also implies that you have created a bunch of different tables, one for each different $select value,  where as you should have one table with a column that holds the $select value.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.