Jump to content

Problem in php4 Vs Mysql4(Select query unsupport"%")


cty

Recommended Posts

Good day,

I currently using mysql servers and clients 4.0.14b and php 4.4.4

I have facing a coding problem,can any one give me some idea?
Hopefully you may guide me to edit it.

---------------------------------------------------------------
error message shown:

cannot execute sql becauseYou have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '% %' at line 1

-----------------------------------------------------------
<html>
<head>
</head>
<body>
<form action=result.php method=post>
Choose Search Type:<br />
<select name="searchtype">
<option value="author">Author</option>
<option value="title">Title</option>
<option value="isbn">ISBN</option>
</select>
<br />
Enter Search Term:
<br />
<input type=text name="searchterm">
<br />
<input type=submit value=Search>
</form>
</body>
</html>
------------------------------------------------------------
//result.php


<html>
<head>
<title>New Page 1</title>
</head>
<body>
<?php
$searchtype=$_POST['searchtype'];
$searchterm=$_POST['searchterm'];

[color=red]$query="SELECT * FROM book where " . $searchtype . " like% " . $searchterm . "%";[/color]
$connection=mysql_connect("localhost","root","") or die("cannot connect!");
mysql_select_db("kelly") or die("cannot select db!");

$result=mysql_query($query) or die("cannot execute sql because".mysql_error());


if(mysql_num_rows($result)>0)
{
echo"<table>";
echo"<td>ISBN</td>";
echo"<td>TITLE</td>";
echo"</tr>";
while($row=mysql_fetch_assoc($result))
{
echo"<tr>";
echo"<td>".$row['isbn']."</td>";
echo"<td>".$row['title']."</td>";
echo"</tr>";
}
echo"</table>";
}
else
{echo"No data found!";
}

mysql_close($connection);
?>

</body>
</html>
------------------------------------------------//(end)

From,
UTAR student
MALAYSIA
[code=php:0]$query="SELECT * FROM book where " . $searchtype . " like '%" . mysql_real_escape_string($searchterm) . "%'";[/code]


This is very insecure, as $searchtype could be anything.  It could be quite slow too, if there are many books.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.