I'm having some trouble passing a number to a GET sting in php, using a urlencode and then urldecode (have tried both the standard urlencode and rawurlencode). The problem is limited to numerical values, as my code works fine for everything else.
Here are relevant sections of code:
if (isset($_GET['q'])) {
$qry = $_GET['q'];
$qry = urldecode($qry);
}
This is the code used for searching:
$qry = "SELECT * FROM jobs JOIN clients ON jobs.Client = clients.ClientCode WHERE JobNumber LIKE '%1%'";
if (isset($_GET['DP']) && (strlen($_GET['DP']) > 0)) {
$qry .= " AND DP LIKE %" . $_GET['DP'] . "%";
} elseif (isset($_POST['DP']) && (strlen($_POST['DP']) > 0)) {
$qry .= " AND DP LIKE '%" . $_POST['DP'] . "%'";
}
if (isset($_GET['JobDescription'])) {
$qry .= " AND JobDescription LIKE '%" . $_GET['JobDescription'] . "%'";
} elseif (isset($_POST['JobDescription']) && (strlen($_POST['JobDescription']) > 0)) {
$qry .= " AND JobDescription LIKE '%" . $_POST['JobDescription'] . "%'";
}
if (isset($_GET['JobNumber'])) {
$qry .= " AND JobNumber LIKE '%" . $_GET['JobNumber'] . "%'";
} elseif (isset($_POST['JobNumber']) && (strlen($_POST['JobNumber']) > 0)) {
$qry .= " AND JobNumber LIKE '%" . $_POST['JobNumber'] . "%'";
}
This is the code used to encode the query after it has been processed:
$qry = urlencode($qry);
A string is output to be used in the pagination, an example being
http://localhost/cpc/jobsearch.php?page=2&q=SELECT+%2A+FROM+jobs+JOIN+clients+ON+jobs.Client+%3D+clients.ClientCode+WHERE+JobNumber+LIKE+%27%251%25%27+AND+DP+LIKE+%27%25754611%25%27
This is causing errors around the 754611 section of the url, and the page does not preform as intended. I believe it has something to do with the %25 (which represents a % sign, and is needed for the search) running into the value (754611 in this case) and not being decoded properly.
What am I doing wrong?
Related
I have a php file that gets some arguments to pass them to sql command. The first one is this:
if (isset ($_GET['pedio'])){
$pedio = " ` pedio ` LIKE '%" . $_GET['pedio'] . "%'";
}
With this form, the code is not running. The problem is "%'". If I remove % from "%'" then the code is running but it not what I want to take as expression. I tried:
$pedio = " `pedio` LIKE '%" . $_GET['pedio'] . chr(37) . "'";
but it didn't help. If i change chr(37) to chr(38) then the code is running but I have & in the end of the expression, not %. What is wrong with it? Any solutions?
EDIT:
my code:
<?php
if (isset($_GET['pedio'])) {
$pedio = " pedio LIKE '%$pedio%'";
}
if (isset($_GET['instit_type'])) {
if ($pedio != "") {
$instit_type = " AND";
}
$instit_type.= " instit_type = '" . $_GET['instit_type'] . "'";
}
if (isset($_GET['city'])) {
if ($pedio != "" || $instit_type != "") {
$city = " AND";
}
$city.= " city = '" . $_GET['city'] . "'";
}
echo "<p>" . $pedio . " , " . $instit_type . " , " . $city . "</p>";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
$conn->set_charset("utf8");
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT * FROM schools WHERE"; . $pedio;
// . $instit_type . $city . $category;
// echo $sql; $result = $conn->query($sql);
This modification is not working either:
if (isset ($_GET['pedio']))
{
switch ($_GET['pedio']){
case 1:
$pedio = " `pedio` LIKE '%1%'";
case 2:
$pedio = " `pedio` LIKE '%2%'";
case 3:
$pedio = " `pedio` LIKE '%3%'";
case 4:
$pedio = " `pedio` LIKE '%4%'";
}
}
Now, I noticed that
$pedio = " `pedio` = '%1%'";
code is running with no problem but the sql command is wrong and no results are returned. Replacing LIKE with = eliminates my problem? How is this possible? What is going on anyway?
Its worth an answer.
If your base Query starts with $sql = "SELECT * FROM schools WHERE";, you need to manipulate the current variable by adding a . before = src.
Full code example
ATTENTION This example isnt secure! Use prepared statements instead.
<?php
$baseSql = "SELECT * FROM school";
if(isset($_GET['pedio'])) {
$baseSql .= "WHERE pedio LIKE '%" . $_GET['pedio'] . "%'";
}
?>
You can try the following :
$variable = $_GET['pedio'];
$pedio = "pedio LIKE '%$variable%'";
I've tried to look for a solution but can't seem to grasp the issue I have.
I have a search query with a "where clause" stating if a user inputs multiple words return the result.
I need the result returned in the same order searched.
Even if i just add the addition "ORDER BY DESC" an error is thrown "Trying to get property of non-object".
Here is my code:
$word = $_GET['word'];
$word3 = $_GET['word'];
$word = explode(";", $word);
$noOfWords = count($word);
$word2 = $word3;
if ($noOfWords == 1) {
$searchString = " word_eng LIKE '" . $conn->escape_string($word3)
"%'";
} else {
$searchString = $whereClause = "";
foreach ($word as $entry) {
$searchString .= " OR word_eng LIKE '" . $conn->escape_string($entry) . "' ORDER BY '" . $word2 . "' ";
}
}
$whereClause = ($searchString != "") ? " WHERE " . preg_replace('/OR/',
'', $searchString, 1) : $whereClause;
$sql = "SELECT word_eng FROM words " . $whereClause . " LIMIT 17";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$row1 = $row["word_eng"];
echo $row1;
}
There are a couple of problems with the way your trying to use ORDER BY. There should be only 1 order by clause in any SQL, you are adding it in for each word your adding. The second part is that it's expecting to order by a column name and your ordering it by the words your searching for.
With wanting to maintain the order of the terms and the order of the results, it would be necessary to use an order by clause with something like a case (Can you add an if statement in ORDER BY? may help explain this).
$orderBy = "";
if ($noOfWords == 1) {
$searchString = " word_eng LIKE '" . $conn->escape_string($word3) ."%'";
} else {
$searchString = $whereClause = "";
$orderBy = " order by case `word_eng` ";
foreach ($word as $order=>$entry) {
$searchString .= " OR word_eng LIKE '" . $conn->escape_string($entry) . "'";
$orderBy .= " when '$entry' then $order ";
}
$orderBy .= " end ";
}
$whereClause = ($searchString != "") ? " WHERE " . preg_replace('/OR/',
'', $searchString, 1) : $whereClause;
$sql = "SELECT word_eng FROM words " . $whereClause . " " .$orderBy." LIMIT 17";
if ($noOfWords == 1) {
$searchString = " word_eng LIKE '" . $conn->escape_string($word3)
"%'";
} else {
$searchString = $whereClause = "";
foreach ($word as $entry) {
$searchString .= " OR word_eng LIKE '" . $conn->escape_string($entry);
}
$searchString .= "' ORDER BY '" . $word2 . "' ";
}
I think you messed up with MySQL Query string in bellow line code.
$searchString .= " OR word_eng LIKE '" . $conn->escape_string($entry) . "' ORDER BY '" . $word2 . "' ";
Your Query is generating Something like
ORDER BY DESC
And OrderBy Query should be something like this
ORDER BY expression [ ASC | DESC ];
So you are missing the expression in query.
I have an sql search query that returns the matched values within a where clause. I need to update this - so for example, if someone searches "elephhant" it will return the result "elephant". How do I go about doing this? Thanks
$the_word = GET['word_eng'];
$split = substr($the_word, 0, 3);
if ($noOfWords == 1) {
$searchString = " word_eng LIKE '" . $the_word ."%'";
}
else {
$searchString = $whereClause = "";
$orderBy = " order by case `word_eng` ";
foreach ($word as $order=>$entry) {
$searchString .= " OR word_eng LIKE '" . $entry . "'";
$orderBy .= " when '$entry' then $order ";
}
$orderBy .= " end ";
}
$whereClause = ($searchString != "") ? " WHERE " . preg_replace('/OR/',
'', $searchString, 1) : $whereClause;
$sql = "SELECT word_eng FROM words " . $whereClause . " OR word_eng LIKE '" .$split "%' " .$orderBy." LIMIT 50";
$result = $conn->query($sql);
How do i bind values to a variable which is partially processed with diffrent statements and then concatenated using php .= method
Please note that I am not using array to bind parameters.
below is piece of code
$wher = '';
now I have added few varibles to $wher like
if (!empty($_SESSION['advs']['title']))
{
$wher .= '(';
if (isset($_SESSION['advs']['desc']))
{
$wher .= "(au.description like '%" . $system->cleanvars($_SESSION['advs']['title']) . "%') OR ";
}
$wher .= "(au.title like '%" . $system->cleanvars($_SESSION['advs']['title']) . "%' OR au.id = " . intval($_SESSION['advs']['title']) . ")) AND ";
}
more addition to $wher
if (isset($_SESSION['advs']['buyitnow']))
{
$wher .= "(au.buy_now > 0 AND (au.bn_only = 'y' OR au.bn_only = 'n' && (au.num_bids = 0 OR (au.reserve_price > 0 AND au.current_bid < au.reserve_price)))) AND ";
}
if (isset($_SESSION['advs']['buyitnowonly']))
{
$wher .= "(au.bn_only = 'y') AND ";
}
if (!empty($_SESSION['advs']['zipcode']))
{
$userjoin = "LEFT JOIN " . $DBPrefix . "users u ON (u.id = au.user)";
$wher .= "(u.zip LIKE '%" . $system->cleanvars($_SESSION['advs']['zipcode']) . "%') AND ";
}
now I am using $wher in database query like
// get total number of records
$query = "SELECT count(*) AS total FROM " . $DBPrefix . "auctions au
" . $userjoin . "
WHERE au.suspended = 0
AND ".$wher . $ora . "
au.starts <= " . $NOW . "
ORDER BY " . $by;
$wher is being used in SQL select query.
How do I put placeholders to $wher and bind the values??
my problem is something like PHP PDO binding variables to a string while concatenating it
But slight different way
I am having a problem getting a query to work (and also am questioning the security of the query).
if(isset($_POST)){
$sql = "SELECT * FROM members WHERE";
if($_POST['FirstName_S'] !== ''){
$sql .= " FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
if($_POST['LastName_S'] !== ''){
$sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
}
}
Obviously, if FirstName_S is undefined, the query breaks saying "WHERE OR". It seems like it would have a logical fix, but I've been staring at it for a little too long.
Also, sql injection was brought up as a concern, and as a side-question, would sanitizing the input be enough? Or is this altogether bad practice?
if(isset($_POST)){
$sql = "SELECT * FROM members WHERE";
if($_POST['FirstName_S'] !== ''){
$sql .= "OR FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
if($_POST['LastName_S'] !== ''){
$sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
}
$sql=str_replace("WHERE OR","WHERE",$sql); // quick dirty fix
}
Ofcourse you'd need to sanitize the input, but since you didn't mention which MySQL API you use, I did not add any sanitization functions yet. You can look at http://php.net/mysqli_real_escape_string
do it other way as follow
if(isset($_POST)){
$sql = "SELECT * FROM members WHERE";
if($_POST['FirstName_S'] !== ''){
$sql_arr[]=" FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
if($_POST['LastName_S'] !== ''){
$sql_arr[]= " LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql_arr[]= " Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql_arr[]= " Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql_arr[]= " City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql_arr[]= " State LIKE '%" . $_POST['State_S'] . "%'";
}
if(!empty($sql_arr)){
$sql.=implode(' OR ',$sql_arr);
}
}
The quick fix is to add 1=1 to your query, so your query ends with WHERE 1=1. That allows you to be free to append any number of OR something to your query, without being concerned with omitting the OR on the first one.
(That 1=1 predicate doesn't cause any problem; that will be evaluated at parse time, and doesn't appear in the execution plan.)
As to SQL Injection, yes, this code is susceptible. If you are using mysql interface, then sanitize the post variables with mysql_real_escape_string function. If you are using mysqli or PDO (and you should be), then use parameterized queries.
$stmt = $dbConnection->prepare('SELECT * FROM members WHERE FirstName LIKE ? OR LastName LIKE ? OR FIRM LIKE ? OR Country LIKE ? OR CITY LIKE ? OR STATE LIKE ?');
if($_POST['FirstName_S'] !== ''){
$stmt->bind_param('FirstName', '%'.$_POST['FirstName_S'].'%');
} else {
$stmt->bind_param('FirstName', '%');
}
… // do this for all your parameters
$stmt->execute();
I think this could help you:
if(isset($_POST)){
$sql = "SELECT * FROM members";
if($_POST['FirstName_S'] !== ''){
$sql .= " WHERE FirstName LIKE '%" . $_POST['FirstName_S'] . "%'";
}
else {
$sql .= " WHERE FirstName LIKE '%'";
}
if($_POST['LastName_S'] !== ''){
$sql .= " OR LastName LIKE '%" . $_POST['LastName_S'] . "%'";
}
if($_POST['Firm_S'] !== ''){
$sql .= " OR Firm LIKE '%" . $_POST['Firm_S'] . "%'";
}
if($_POST['Country_S'] !== ''){
$sql .= " OR Country LIKE '%" . $_POST['Country_S'] . "%'";
}
if($_POST['City_S'] !== ''){
$sql .= " OR City LIKE '%" . $_POST['City_S'] . "%'";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql .= " OR State LIKE '%" . $_POST['State_S'] . "%'";
}
}
and for the SQL injections, you can check General_Twyckenham comment.
You could compose the WHERE command based on what parameters is entered...
if(isset($_POST)){
$sql_where = '';
$sql = "SELECT * FROM members ";
if($_POST['FirstName_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." FirstName LIKE '%" . $_POST['FirstName_S'] . "%' ";
}
if($_POST['LastName_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." LastName LIKE '%" . $_POST['LastName_S'] . "%' ";
}
if($_POST['Firm_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." Firm LIKE '%" . $_POST['Firm_S'] . "%' ";
}
if($_POST['Country_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." Country LIKE '%" . $_POST['Country_S'] . "%' ";
}
if($_POST['City_S'] !== ''){
$sql_where .= (($sql_where != '')?('OR '):(''))." City LIKE '%" . $_POST['City_S'] . "%' ";
}
if($_POST['State_S'] !== '' AND $_POST['State_S'] !== 'other'){
$sql_where .= (($sql_where != '')?('OR '):(''))." State LIKE '%" . $_POST['State_S'] . "%' ";
}
$sql .= (($sql_where != '')?('WHERE '.sql_where):(''));
}