I don't understand why this doesn't work. I have the following contents in sowner : " 6 4 7 " without the quotes, but with all the spaces including in the beginning and the end. That's the sowner value of a row in the DB.
I have row id which I transform into a string of this form (id is 4) " 4 " then search for it inside sowner to see if it's there. No results returned.
Here is my code:
$sql = 'SELECT * FROM `services` WHERE `sowner` LIKE ?';
$stmt = $conn->prepare($sql);
if($stmt === false) {
trigger_error('Wrong SQL: ' . $sql . ' Error: ' . $conn->errno . ' ' . $conn->error, E_USER_ERROR);
}
$spacedid = " " . strval($row['id']) . " ";
$stmt->bind_param('s', $spacedid);
$stmt->execute();
$res3 = $stmt->get_result();
The purpose is to have an undefined number of people's ids in a string separated by spaces and only showing stuff to people if their id is inside the services sowner field.
I am positive it's the LIKE because if I remove the WHERE, all rows show up.
Also I'm using the same implementation in a on-type search suggestion form like this
SELECT * FROM `users` WHERE username LIKE ?
you need to add the wildcard operators to the like
so the statement becomes more like
SELECT * FROM `users` WHERE username LIKE '% 6 %'
change the line
$spacedid = " " . strval($row['id']) . " ";
to
$spacedid = "% " . strval($row['id']) . " %";
Related
This question already has answers here:
Search Form with One or More (Multiple) Parameters
(2 answers)
Closed 7 years ago.
I am trying to create a database with multiple fields for searching but it is displaying the entire database if there is an empty field. i suspect it is because of the OR's in the query and i am not sure how to fix it.
<?php
if (isset($_POST['Submit']))
{
$con = mysqli_connect();
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$surname = $_POST['surname'];
$firstname = $_POST['firstname'];
$maiden = $_POST['maiden'];
$birth = $_POST['birth'];
$death = $_POST['death'];
$keyword = $_POST['keyword'];
$sql = "SELECT * FROM obits WHERE surname LIKE '%" . $surname . "%' OR firstname LIKE '%" . $firstname . "%' OR maiden LIKE '%" . $maiden . "%' OR birth LIKE '%" . $birth . "%' OR death LIKE '%" . $death . "%' OR obittext LIKE '%" . $keyword . "%'";
$result = mysqli_query($con, $sql);
further down i have this:
if (isset($result) && $result->num_rows > 0);
then follows the table etc. i think i have all the pertinent info here. any suggestions? please use english rather than programmer, i am quite new at this. thanks in advance!
Let's look at one of the conditions:
surname LIKE '%" . $surname . "%'
Assuming, $surname is Miller here, you select all rows that have a surname like %Miller%. The % signs are wildcards, which can basically stand for anything. This means you are selecting all rows where the surname contains Miller with any string before or after it, including empty ones.
Now, if Miller would be empty in this case, you are looking for %%, so an empty string with anything before or after it -- so really any possible string. As a result, every row will be selected.
Since this is true not only for the surname, but for any of the columns, leaving any of the criteria blank will result in all rows being selected.
Find more info on SQL Wildcards.
To skip empty values in your where clause, you can build it dynamically:
$condition = "WHERE";
if(!empty($surname)){
$condition .= "surname LIKE '$surname' OR";
}
if(!empty($firstname)){
$condition .= "firstname LIKE '$firstname' OR";
}
// ...
$sql = "SELECT * FROM obits " . $condition;
Note:
There will be a trailing OR in the condition that you will have to remove.
If all conditions are blank, this will also lead to an error.
But it should give you an inpiration! :-)
Side Note:
You should look into prepared statements. Passing POST variables directly into an SQL statement is highly dangerous.
I am generating the first part of the query like this:
while ($all_products = $db->fetch_array($all_prods))
{
$filter_string .= 'AND product_id !=';
$filter_string .= $all_products['item_id'];
$filter_string .= ' ';
}
and then the second part like this:
$sql_more_items = $db->query("SELECT * FROM db_products
WHERE owner_id='" . $user_id . "' AND active=1 '" . $filter_string . "'
ORDER BY RAND() LIMIT 10");
However it's giving me a mySQL syntax error and the $filter_string part strangely adds ' twice before and after the string, so it runs like this:
WHERE user_id='12345' AND active=1 'AND product_id !=0001 AND product_id !=0002 ' ORDER BY RAND ...
What am I doing wrong?
$filter_string adds ' because you put it there. :P
Try with just the double quotes around $filter_string:
$sql_more_items = $db->query("SELECT * FROM db_products WHERE owner_id='" . $user_id . "' AND active=1 " . $filter_string . "ORDER BY RAND() LIMIT 10");
$sql_more_items = $db->query("SELECT * FROM db_products
WHERE owner_id='" . $user_id . "' AND active=1 '" . $filter_string . "'
ORDER BY RAND() LIMIT 10");
Check the way you're performing a string concatenation (putting together strings). It seems like there's a copy/paste error as you're using '" instead of just a "
I would use whitespace (and a good code editor) to your advantage by reformatting your code to look like this:
$queryString = "SELECT * FROM db_products WHERE owner_id='$user_id'"
." AND active=1 " //Note these
. $filter_string //are separated
. "ORDER BY RAND() LIMIT 10 "; //into individual lines
$sql_more_items = $db->query($queryString);
This style helps you keep track of whether you're using " or ' for your strings and also helps you debug things more easily than putting it into one giant hard to read string.
That's probably because of the part
`"' AND active=1 '"`
^.... This ' here
so I am building a search script and meed to pass on two variables, but first I want to make sure that the SQL QUery is correct so I am hard-coding the variable for now. So my variable is
$comma_separated = "'Alberta','Ontario'";
This is getting passed through to the query, which looks like this:
$sql = "SELECT * FROM persons WHERE 1=1";
if ($firstname)
$sql .= " AND firstname='" . mysqli_real_escape_string($mysqli,$firstname) . "'";
if ($surname)
$sql .= " AND surname='" . mysqli_real_escape_string($mysqli,$surname) . "'";
if ($province)
$sql .= " AND province='" . mysqli_real_escape_string($mysqli,$comma_separated) . "' WHERE province IN ($comma_separated)";
$sql .= " ORDER BY surname";
and then when the query runs, I get this message:
cannot run the query because: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE province IN ('Alberta','Ontario') ORDER BY surname LIMIT 0, 5' at line 1
But to me the query looks right, what am I missing here?
Thanks in advance.
You can't have WHERE in there twice. You also seem to be trying to filter on province values in two different ways. Based on the assumption that $province will always be an array of values (even if only a single value is given), you can try this:
$sql = "SELECT * FROM persons WHERE 1=1";
if (!empty($firstname)) {
$sql .= " AND firstname='" . mysqli_real_escape_string($mysqli,$firstname) . "'";
}
if (!empty($surname)) {
$sql .= " AND surname='" . mysqli_real_escape_string($mysqli,$surname) . "'";
}
if (!empty($province)) {
array_walk($province, function($value, $key_not_used) use ($mysqli) {
return mysqli_real_escape_string($mysqli, $value);
});
$sql .= " AND province IN ('" . implode(',', $province) . "')";
}
$sql .= " ORDER BY surname";
Your SQL contains two WHERE's.
SELECT * FROM persons WHERE 1=1
AND firstname='fn'
AND surname='sn'
AND province='p'
WHERE province IN ($comma_separated)
ORDER BY surname
Change the last bit to:
$sql .= " AND province='" . mysqli_real_escape_string($mysqli,$comma_separated) . "' AND province IN ($comma_separated)";
Which becomes:
AND province='p'
AND province IN ('Alberta','Ontario')
Change the last part to:
if ($province)
$sql .= " AND province IN (" . mysqli_real_escape_string($mysqli,$comma_separated) . ")";
By using $quer1 am able to save value "Favorite's TV shows?" AS "Favorite\'s TV shows?"
when i went into host's PHPMYADMIN and wrote a SQL
query-
SELECT ques_id FROM questions WHERE ques like 'Favorite\'s TV shows?'
It returns 0 rows yet 'Favorite\'s TV shows?' is in database
$query2 returning error as it is not able to fetch any row, yet value exsist in database!!
$qques="q".$ques;
$query1 =sprintf("insert into questions(ques) values ('%s')",
mysql_real_escape_string($val));
$result = mysql_query($query1);
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query1;
die($message);
}
$query2 =sprintf("SELECT ques_id FROM questions WHERE ques like '%s'",
mysql_real_escape_string($val));
$result2 = mysql_query($query2);
if (!$result2) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query2;
die($message);
}else
{ $valueSecond= mysql_result($result2, 0);}
Instead of escaping the apostrophe with a backslash, try it with a double apostrophe, like so:
select * from ABC where XYZ like 'Favorite''s TV shows?'
If the escaped apostrophe in in the database, you'll need to do this:
select * from ABC where XYZ like 'Favorite\\''s TV shows?'
I apologize if this question has come up before, but I've looked and only found people who are only concerned with the actual result returned by
mysql_query($query);
I'm making a php/mysql page with ajax for a project where the user can create a database and perform a search by interacting with a few select boxes. I would also like to be able to print out the actual query generated by the php, just for testing.
if($dArray[0] == 'sb2a'){
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] + "\'";}
print($sql);
It just prints 0 rather than something like
"SELECT * FROM Vehicles WHERE VID = '01'"
Any help would be greatly appreciated.
Near the end of your line of code setting the value for $sql:
. $dArray[2] + "\'";
That + should be a .
if($dArray[0] == 'sb2a')
{
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] . "\'";
}
print($sql);
To concatenation we should always use '.'
Query should be like this.
$sql = "SELECT * FROM Vehicles WHERE {$dArray[1]} = '{$dArray[2]}'";