What's the Wrong This Query ?

[Jineps]

Hi everyone !

what's the wrong this query ? Its' working but SMF logging warning log.

Code Select Expand

$name_parcala = explode(' ', $i_name);

$items = $smcFunc['db_query']('', '
SELECT *
FROM ' . $j_items . '
WHERE (i_name like "%' . $name_parcala[0] . '%" OR i_name LIKE  "%' . $name_parcala[1] . '%")  AND i_statu = "1" AND i_premium = "0" AND i_id <> "' . $i_id . '"
LIMIT 30
');

[NanoSector]

Hi Jineps,

What errors does it throw into the error log, exactly?

[Jineps]

i_id=614

Hacking attempt...

SELECT *
FROM table
WHERE (i_name like "%What's%" OR i_name LIKE "%the%") AND i_statu = "1" AND i_premium = "0" AND i_id <> "614"
LIMIT 30

[emanuele]

Code Select Expand


$name_parcala = explode(' ', $i_name);

$items = $smcFunc['db_query']('', '
SELECT *
FROM ' . $j_items . '
WHERE (i_name LIKE {string:first} OR i_name LIKE {string:second})
AND i_statu = {int:statu}
AND i_premium = {int:premium}
AND i_id != {int:id}
LIMIT {int:limit}',
array(
'first' => '%' . $name_parcala[0] . '%',
'second' => '%' . $name_parcala[1] . '%',
'statu' => 1,
'premium' => 0,
'id' => $i_id,
'limit' => 30,
)
);


[Jineps]

@emanuele thank you, I changed but its not working my code is here.

Code Select Expand


//dokuman

$name_parcala = explode(' ', $i_name);

$items = $smcFunc['db_query']('', '
SELECT *
FROM ' . $j_items . '
WHERE (i_name LIKE {string:first} OR i_name LIKE {string:second})
AND i_statu = {int:statu}
AND i_premium = {int:premium}
AND i_id != {int:id}
LIMIT {int:limit}',
array(
'first' => '%' . $name_parcala[0] . '%',
'second' => '%' . $name_parcala[1] . '%',
'statu' => 1,
'premium' => 0,
'id' => $i_id,
'limit' => 30,
)
);


$item_count = $smcFunc['db_num_rows'] ($items);


if($item_count > 0)
{
while ( $row = $smcFunc['db_fetch_assoc']($items) ) {

$i_id = $row ['i_id'];
$i_name = $row ['i_name'];
$i_meta = $row ['i_meta'];
$i_desc = $row ['i_desc'];
$i_catid = $row ['i_catid'];
$i_statu = $row ['i_statu'];
$i_type = $row ['i_type'];
$i_hit = $row ['i_hit'];
$i_date = $row ['i_date'];
$i_premium = $row ['i_premium'];
$seo_name = jineps_seotitle($i_name);
......

[emanuele]

$j_items is "table" and nothing else?

[Jineps]

yes, $j_items is table.

[margarett]

It needs to be database.table, methinks.

[emanuele]

Have a look at the log, it should report the error.
I feel it's

Code Select Expand

Illegal character (\') used in query...
If so, the problem is the "What's", you should probably use htmlspecialchars on that or, if you stored exactly the single quote, you have to override the security with:

Code Select Expand

$name_parcala = explode(' ', $i_name);

$items = $smcFunc['db_query']('', '
SELECT *
FROM ' . $j_items . '
WHERE (i_name LIKE \'%' . $name_parcala[0] . '%\' OR i_name LIKE \'%' . $name_parcala[1] . '%\')
AND i_statu = 1
AND i_premium = 0
AND i_id != ' . $i_id . '
LIMIT 30',
array(),
array(
'security_override' => true,
),
);

Or something like that...

[Jineps]

@emanuele yes u are right, I solved like this.Sorry I didnt write here :s thanks.

$i_name = j_sec(addslashes($i_name));

[emanuele]

It would be better to sanitize the inputs (e.g htmlspecialchars) before sending them to the database.
And probably instead of addslashes it would be better to use mysql_real_escape_string (I think).

[Jineps]

yepp its more useful and true then my code, I changed for mysql_real_escape_string

thanks..

[Jineps]

How I can update a column ?

mysql_query("UPDATE table SET x=xx where id= 2") ....

but $smcFunc how i can use update query ?

[emanuele]

Almost exactly the same:

Code Select Expand

$smcFunc['db_qery']('', '
    UPDATE {db_prefix}table
    SET x = {string:x_val}
    WHERE id = {int:id}',
    array(
        'x_val' => 'xx',
        'id' = 2
    )
);

[Jineps]

thank you )