Advertisement:

Author Topic: [MySQL]What's wrong with this ?  (Read 15047 times)

Offline Saleh

  • Sophist Member
  • *****
  • Posts: 1,326
  • Gender: Male
  • Claymore Fan
    • PHP Simplicity
[MySQL]What's wrong with this ?
« on: August 06, 2003, 09:16:32 AM »
Code: [Select]
SELECT title, bookID, authF, authL, price
          WHERE title LIKE '%$title2%'
          ORDER BY price;
what is wrong with this damn MySQL ?
it gives me this :
You have an error in your SQL syntax near 'ORDER BY price WHERE title LIKE '%enhanced%'' at line 2

We don't need a reason to help people

Offline ۞

  • Jr. Member
  • **
  • Posts: 340
  • Gender: Male
  • I dont know what to put here, I'll leave it blank.
Re:[MySQL]What's wrong with this ?
« Reply #1 on: August 06, 2003, 09:19:17 AM »
Did you put a number by the wildcards? I believe % only works with text.
TTTTTT  OOOOOO MMMMMM   BBBBBB


Offline Haase

  • Semi-Newbie
  • *
  • Posts: 94
  • Gender: Male
  • You can't win... but you can lose intelligently
    • One Free Voice
Re:[MySQL]What's wrong with this ?
« Reply #2 on: August 06, 2003, 12:00:26 PM »
He did put a number by the wildcard, %title2%.

I'm not sure about mySQL, but in Oracle, you can do this.  At work I maintain an order system and I'm always using "WHERE order_number LIKE '1302%';"

You should try troubleshooting by first taking out the ORDER BY clause, and see if that resolves your error. If you still have an error, put ORDER BY back in and get rid of your WHERE clause.

I have a sneaky suspicion that it doesn't like the fact that you've put the variable between wildcards.  Maybe try like '%{$title2}%' instead.

Or probably even better, right before the query, put this line:
Code: [Select]
$title2 = '%' . $title2 . '%';and then make your query look like this:
Code: [Select]
SELECT title, bookID, authF, authL, price
         WHERE title LIKE '$title2'
         ORDER BY price;
Find out about Enigma, the portal built exclusively for YaBB SE will be continuing it's work towards SMF

Offline Saleh

  • Sophist Member
  • *****
  • Posts: 1,326
  • Gender: Male
  • Claymore Fan
    • PHP Simplicity
Re:[MySQL]What's wrong with this ?
« Reply #3 on: August 06, 2003, 12:15:04 PM »
ok I am sorry I just rushed in posting ,,,
the problem was I didn't specify what table to SELECT from it !! :P
and that wildcard thing .. title2 is a varibal handled via POST form ..  :D
after I specified the table it went okay ;)
it should be like this :
Code: [Select]
SELECT title, bookID, authF, authL, price
FROM books
WHERE title LIKE '%$title2%'
ORDER BY price;
FROM books was missing :P

and about wildcard handeling numbers ,, it's possible .. no problem in that ..
I am just new in PHP and MySQL but I am learning pretty fast .. PRETTY FAST ;D
« Last Edit: August 06, 2003, 12:18:26 PM by NeverMind »

We don't need a reason to help people

Offline Zef Hemel

  • SMF Friend
  • Jr. Member
  • *
  • Posts: 129
  • Gender: Male
  • alienine fan
    • ZefHemel.com
Re:[MySQL]What's wrong with this ?
« Reply #4 on: August 06, 2003, 12:53:10 PM »
I hope you applied mysql_escape_string() to that $title2 POST field ;)

Offline Saleh

  • Sophist Member
  • *****
  • Posts: 1,326
  • Gender: Male
  • Claymore Fan
    • PHP Simplicity
Re:[MySQL]What's wrong with this ?
« Reply #5 on: August 07, 2003, 05:51:51 AM »
I hope you applied mysql_escape_string() to that $title2 POST field ;)
I didn't use that function .. but the script is working fine until now -at least- ..
I am using addslashes(); instead .. also trim() ..
so thet $title2 will be clean enough so not to confuse poor mysql ;D

We don't need a reason to help people

Offline Zef Hemel

  • SMF Friend
  • Jr. Member
  • *
  • Posts: 129
  • Gender: Male
  • alienine fan
    • ZefHemel.com
Re:[MySQL]What's wrong with this ?
« Reply #6 on: August 07, 2003, 08:27:34 AM »
Confusing MySQL wasn't my primary concern, it was merely security I was worying about.

Offline Saleh

  • Sophist Member
  • *****
  • Posts: 1,326
  • Gender: Male
  • Claymore Fan
    • PHP Simplicity
Re:[MySQL]What's wrong with this ?
« Reply #7 on: August 07, 2003, 08:38:42 AM »
and how security can be harmed ?
I am asking because I am php green ;) and I want to learn more ..

We don't need a reason to help people

Offline Zef Hemel

  • SMF Friend
  • Jr. Member
  • *
  • Posts: 129
  • Gender: Male
  • alienine fan
    • ZefHemel.com
Re:[MySQL]What's wrong with this ?
« Reply #8 on: August 09, 2003, 06:43:12 AM »
By using a ' in your form string you could break out of the SQL query, start a new one retrieving/inserting/deleting any data from the database you want. For example, let's say your variable $title2 has the value:
Code: [Select]
something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%blaThis is what your query will become:

Code: [Select]
SELECT title, bookID, authF, authL, price
FROM books
WHERE title LIKE '%something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%bla%'
ORDER BY price;
Result => Empty books table

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re:[MySQL]What's wrong with this ?
« Reply #9 on: August 09, 2003, 04:55:36 PM »
PHP won't allow you to do two queries in one string, luckily enough, but it is still a problem.

-[Unknown]