Text only | Text with Images

Simple Machines Community Forum

General Community => Scripting Help => Topic started by: Saleh on August 06, 2003, 09:16:32 AM

Title: [MySQL]What's wrong with this ?
Post by: Saleh on August 06, 2003, 09:16:32 AM
Code Select
SELECT title, bookID, authF, authL, price
         WHERE title LIKE '%$title2%'
         ORDER BY price;
what is wrong with this damn MySQL ?
it gives me this :
You have an error in your SQL syntax near 'ORDER BY price WHERE title LIKE '%enhanced%'' at line 2
Title: Re:[MySQL]What's wrong with this ?
Post by: ۞ on August 06, 2003, 09:19:17 AM
Did you put a number by the wildcards? I believe % only works with text.
Title: Re:[MySQL]What's wrong with this ?
Post by: Haase on August 06, 2003, 12:00:26 PM
He did put a number by the wildcard, %title2%.

I'm not sure about mySQL, but in Oracle, you can do this.  At work I maintain an order system and I'm always using "WHERE order_number LIKE '1302%';"

You should try troubleshooting by first taking out the ORDER BY clause, and see if that resolves your error. If you still have an error, put ORDER BY back in and get rid of your WHERE clause.

I have a sneaky suspicion that it doesn't like the fact that you've put the variable between wildcards.  Maybe try like '%{$title2}%' instead.

Or probably even better, right before the query, put this line:
Code Select
$title2 = '%' . $title2 . '%';
and then make your query look like this:
Code Select
SELECT title, bookID, authF, authL, price
        WHERE title LIKE '$title2'
        ORDER BY price;
Title: Re:[MySQL]What's wrong with this ?
Post by: Saleh on August 06, 2003, 12:15:04 PM
ok I am sorry I just rushed in posting ,,,
the problem was I didn't specify what table to SELECT from it !! :P
and that wildcard thing .. title2 is a varibal handled via POST form ..  :D
after I specified the table it went okay ;)
it should be like this :
Code Select
SELECT title, bookID, authF, authL, price
FROM books
WHERE title LIKE '%$title2%'
ORDER BY price;
FROM books was missing :P

and about wildcard handeling numbers ,, it's possible .. no problem in that ..
I am just new in PHP and MySQL but I am learning pretty fast .. PRETTY FAST ;D
Title: Re:[MySQL]What's wrong with this ?
Post by: Zef Hemel on August 06, 2003, 12:53:10 PM
I hope you applied mysql_escape_string() to that $title2 POST field ;)
Title: Re:[MySQL]What's wrong with this ?
Post by: Saleh on August 07, 2003, 05:51:51 AM
Quote from: Zef Hemel on August 06, 2003, 12:53:10 PM
I hope you applied mysql_escape_string() to that $title2 POST field ;)
I didn't use that function .. but the script is working fine until now -at least- ..
I am using addslashes(); instead .. also trim() ..
so thet $title2 will be clean enough so not to confuse poor mysql ;D
Title: Re:[MySQL]What's wrong with this ?
Post by: Zef Hemel on August 07, 2003, 08:27:34 AM
Confusing MySQL wasn't my primary concern, it was merely security I was worying about.
Title: Re:[MySQL]What's wrong with this ?
Post by: Saleh on August 07, 2003, 08:38:42 AM
and how security can be harmed ?
I am asking because I am php green ;) and I want to learn more ..
Title: Re:[MySQL]What's wrong with this ?
Post by: Zef Hemel on August 09, 2003, 06:43:12 AM
By using a ' in your form string you could break out of the SQL query, start a new one retrieving/inserting/deleting any data from the database you want. For example, let's say your variable $title2 has the value:
Code Select
something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%bla
This is what your query will become:

Code Select
SELECT title, bookID, authF, authL, price
FROM books
WHERE title LIKE '%something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%bla%'
ORDER BY price;
Result => Empty books table
Title: Re:[MySQL]What's wrong with this ?
Post by: [Unknown] on August 09, 2003, 04:55:36 PM
PHP won't allow you to do two queries in one string, luckily enough, but it is still a problem.

-[Unknown]
Text only | Text with Images