News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

[MySQL]What's wrong with this ?

Started by Saleh, August 06, 2003, 09:16:32 AM

Previous topic - Next topic

Saleh

SELECT title, bookID, authF, authL, price
         WHERE title LIKE '%$title2%'
         ORDER BY price;

what is wrong with this damn MySQL ?
it gives me this :
You have an error in your SQL syntax near 'ORDER BY price WHERE title LIKE '%enhanced%'' at line 2

We don't need a reason to help people

۞

Did you put a number by the wildcards? I believe % only works with text.
TTTTTT  OOOOOO MMMMMM   BBBBBB


Haase

He did put a number by the wildcard, %title2%.

I'm not sure about mySQL, but in Oracle, you can do this.  At work I maintain an order system and I'm always using "WHERE order_number LIKE '1302%';"

You should try troubleshooting by first taking out the ORDER BY clause, and see if that resolves your error. If you still have an error, put ORDER BY back in and get rid of your WHERE clause.

I have a sneaky suspicion that it doesn't like the fact that you've put the variable between wildcards.  Maybe try like '%{$title2}%' instead.

Or probably even better, right before the query, put this line: $title2 = '%' . $title2 . '%';
and then make your query look like this:SELECT title, bookID, authF, authL, price
        WHERE title LIKE '$title2'
        ORDER BY price;
Find out about Enigma, the portal built exclusively for YaBB SE will be continuing it's work towards SMF

Saleh

#3
ok I am sorry I just rushed in posting ,,,
the problem was I didn't specify what table to SELECT from it !! :P
and that wildcard thing .. title2 is a varibal handled via POST form ..  :D
after I specified the table it went okay ;)
it should be like this :
SELECT title, bookID, authF, authL, price
FROM books
WHERE title LIKE '%$title2%'
ORDER BY price;

FROM books was missing :P

and about wildcard handeling numbers ,, it's possible .. no problem in that ..
I am just new in PHP and MySQL but I am learning pretty fast .. PRETTY FAST ;D

We don't need a reason to help people

Zef Hemel

I hope you applied mysql_escape_string() to that $title2 POST field ;)

Saleh

Quote from: Zef Hemel on August 06, 2003, 12:53:10 PM
I hope you applied mysql_escape_string() to that $title2 POST field ;)
I didn't use that function .. but the script is working fine until now -at least- ..
I am using addslashes(); instead .. also trim() ..
so thet $title2 will be clean enough so not to confuse poor mysql ;D

We don't need a reason to help people

Zef Hemel

Confusing MySQL wasn't my primary concern, it was merely security I was worying about.

Saleh

and how security can be harmed ?
I am asking because I am php green ;) and I want to learn more ..

We don't need a reason to help people

Zef Hemel

By using a ' in your form string you could break out of the SQL query, start a new one retrieving/inserting/deleting any data from the database you want. For example, let's say your variable $title2 has the value: something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%bla
This is what your query will become:

SELECT title, bookID, authF, authL, price
FROM books
WHERE title LIKE '%something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%bla%'
ORDER BY price;

Result => Empty books table

[Unknown]

PHP won't allow you to do two queries in one string, luckily enough, but it is still a problem.

-[Unknown]

Advertisement: