I'm new to SQL can't seem to group multiple LIKE statements together. Any idea what I am doing incorrectly?
$query = mysqli_query($mysqli, "SELECT * FROM table_name
WHERE Page LIKE ".$page."
AND Profession LIKE ".$profession.",
AND Age LIKE ".$age."");
Thanks.
Its likely because they are not enclosed correctly
$query = mysqli_query($mysqli, "SELECT * FROM table_name
WHERE Page LIKE ".$page."
AND Profession LIKE ".$profession."
AND Age LIKE ".$age."");
when compiled is something like
SELECT * FROM table_name
WHERE Page LIKE page number 1
AND Profession LIKE my profession
AND Age LIKE 100
which is invalid SQL
You need to use quotes and escape the values
$query = mysqli_query($mysqli, "SELECT * FROM table_name
WHERE Page LIKE '%".$page."%'
AND Profession LIKE '%".$profession."%'
AND Age LIKE '%".$age."%'");
would give
SELECT * FROM table_name
WHERE Page LIKE '%page number 1%'
AND Profession LIKE '%my profession%'
AND Age LIKE '%100%'
Which will likely give a result of what you would expect
Make sure the values are safe though by at bare minimum using http://www.php.net/manual/en/mysqli.real-escape-string.php though looking at prepared statements would be a better option
Edit:
Remove comma after LIKE ". $profession."
This would be a lot easier to get right if you use placeholders and bind_param:
$stmt = mysqli_query($mysqli, "SELECT * FROM table_name
WHERE Page LIKE ?
AND Profession LIKE ?
AND Age=?");
mysqli_stmt_bind_param($stmt, 'ssi', "%" . $page . "%", "%" . $profession. "%", $age);
mysqli_stmt_execute($stmt);
Related
This one came close to answering my question: Protect from injections and right syntax for $_GET method
However, my issue is that I am trying to combine the wildcard search %. So my original statement that works is like this which is wrapped in a try catch block.
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno WHERE Store_name LIKE '%".$_GET['term']."%' AND city LIKE '%".$_GET['city']."%'";
$sql .= " AND address_line_1 LIKE '%".$_GET['address']."%'";
But of course I want to make the statement like this.
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno WHERE Store_name LIKE ? AND city LIKE ?;
$sql .= " AND address_line_1 LIKE ? ";
With a statement like this
$stm = ('%$term%','%$city%','%$address%');
However, this is not working. I have tried all the variations of double and single quotes that I can think of along with the concatenation but nothing is working for me. I put the $_GET variables into another variable.
Yes there is other code in the program that does the binding. The final statement should look something like.
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno WHERE Store_name LIKE ? AND city LIKE ?;
$sql .= " AND address_line_1 LIKE ? ";
$stm = ('%$term%','%$city%','%$address%');
sqlStatement($sql,$stm); //This is where the binding takes place in the program
So what I need to know is how to use the wildcard with the variable.
if you are using PDO then i would like to do like-
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno
WHERE Store_name LIKE :store_name
AND city LIKE :city
AND address_line_1 LIKE :address_line_1 ";
// now prepared statement like-
$stmt = $conn->prepare($sql);
$stmt->execute(array(
':store_name'=>'%'.$_GET['store_name'].'%',
':city'=>'%'.$_GET['city'].'%',
':address_line_1'=>'%'.$_GET['address_line_1'].'%'
));
$result=$stmt->fetchAll();
if you didnot use pdo then have a look over pdo prepared statement via php.net
This does not work
$sql = 'SELECT * FROM `users` WHERE username LIKE \'%{?}%\' ';
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in /home/rgero/public_html/php/searchadmins.php on line 1
This one doesn't work either
$sql = 'SELECT * FROM `users` WHERE username LIKE %{?}% ';
Fatal error: Wrong SQL: SELECT * FROM users WHERE username LIKE %{?}% Error: 0 in /home/rgero/public_html/php/searchadmins.php on line 1
How would I go about this? I'm trying to make a search for players function that updates the results as you're typing in the form, something like how google already shows answers while you're typing. I need for the username Admin , if you type dm, to show it already among other usernames that contain "dm". It should also be case insensitive
Try this
$likeVar = "%" . $yourParam . "%";
$stmt = $mysqli->prepare("SELECT * FROM REGISTRY where name LIKE ?");
$stmt->bind_param("s", $likeVar);
$stmt->execute();
you need to prepare the query using simply ? then you bind the param using bind_param.
I have been trying to get this for hours, and I know there are other topics similar to this but I'm still stuck... basically I'm trying to list all the customers with last names that start with the letter A:
I'm passing a variable called lname in the URL like this:
Then I grab the variable in the PHP like:
$lname = $_GET['lname'];
$lname = mysql_real_escape_string($lname);
// HERE'S THE PROBLEM AREA: then I try to put a simple query together like this:
$query = 'SELECT * FROM customers WHERE customers.lname LIKE "$lname%"';
// then I want to make sure $query and $lname have values in them, so I echo them out:
echo $query;
echo ' $lname = '.$lname;
// and the output is:
SELECT * FROM customers WHERE customers.lname LIKE "$lname%"
$lname = A
Unknown column '$lname' in 'where clause'
So you can see that in the query, after the LIKE, it should say LIKE 'A', but it is parsing to LIKE $lname. I've tried all kinds of variations such as:
$query = 'SELECT * FROM customers WHERE customers.lname LIKE ".$lname."';
$query = 'SELECT * FROM customers WHERE customers.lname LIKE {$lname}%';
etc, etc, etc
Strange, but the column lname is DEFINITELY there in the customers table, and so I'mk not sure why it's reporting that error of 'Unknown column '$lname' in 'where clause''
And for the record, when I manually just change the query to include the value I want, it outputs the list of customer names perfectly:
$query = 'SELECT * FROM customers WHERE customers.lname LIKE "A%"';
... so the query works, but I can't get the $lname to be interpolated.
THANK YOU for any help. How can I get that variable $lname to pass the VALUE that's inside of $lname in my mysql query?
$query = "SELECT * FROM customers WHERE customers.lname LIKE '$lname%'";
Interchange your single quotes and double quotes in the above line.
You should really think about using parameterized queries. For instance,
$sql = "SELECT * FROM customers WHERE customers.lname LIKE ?";
$stm = $pdo->prepare($sql);
$stm->execute(array($lname));
This would help with many problems you are likely experiencing, and is much more secure.
I've built a simple search bar for my website, and if my query looks like this, it works great:
$sql = query("SELECT id, firstname, lastname, username, location FROM
users WHERE firstname LIKE '%" . $search_query . "%' LIMIT 20");
but if i write it like that, it echoes a SQL Syntax error :
$sql = query("SELECT id, firstname, lastname, username, location FROM
users WHERE firstname, lastname, username, location LIKE '%" . $search_query . "%'
LIMIT 20");
The difference between the 2 queries is that the 2nd one will search through multiple columns which is what i need since my users can search either for a name or a city.
How should I re-write it ?
You have to repeat the LIKE statement for each field, unfortunately.
SELECT id, firstname, lastname, username, location FROM users
WHERE firstname LIKE '%" . $search_query . "%'
OR lastname LIKE '%" . $search_query . "%'
OR username LIKE '%" . $search_query . "%'
OR location LIKE '%" . $search_query . "%'
LIMIT 20
The keyword LIKE does not work like that. Try this:
$like_string = "'%$search_query%'";
$query = "SELECT id, firstname, lastname, username, location
FROM users
WHERE firstname LIKE $like_string OR
lastname LIKE $like_string OR
username LIKE $like_string OR
location LIKE $like_string
LIMIT 20";
$sql = query($query);
As others will tell you, it is smart to account for SQL injection and perform sanity and validity checks before accepting any user data. Take a look at this question on how to prevent SQL injection.
The PDO extension or the mysqli extension is preferred for MySQL and mysql_ functions have been deprecated (as can be seen throughout the documentation).
You need to specify each column's search condition separately:
$sql = query("SELECT id, firstname, lastname, username, location
FROM users
WHERE firstname LIKE '%$search_query%'
OR lastname LIKE '%$search_query%'
OR username LIKE '%$search_query%'
OR location LIKE '%$search_query%'
LIMIT 20");
As you can see, I've removed the concatenation - since you're using double quotes, variables can go directly into the query.
Also, I hope $search_query has been santised, or you're opening yourself upto SQL injection attacks; really, you should be using parameterised queries by now.
I am running problems in implementing LIKE in PDO
I have this query:
$query = "SELECT * FROM tbl WHERE address LIKE '%?%' OR address LIKE '%?%'";
$params = array($var1, $var2);
$stmt = $handle->prepare($query);
$stmt->execute($params);
I checked the $var1 and $var2 they contain both the words I want to search, my PDO is working fine since some of my queries SELECT INSERT they work, it's just that I am not familiar in LIKE here in PDO.
The result is none returned. Do my $query is syntactically correct?
You have to include the % signs in the $params, not in the query:
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
If you'd look at the generated query in your previous code, you'd see something like SELECT * FROM tbl WHERE address LIKE '%"foo"%' OR address LIKE '%"bar"%', because the prepared statement is quoting your values inside of an already quoted string.
Simply use the following:
$query = "SELECT * FROM tbl WHERE address LIKE CONCAT('%', :var1, '%')
OR address LIKE CONCAT('%', :var2, '%')";
$ar_val = array(':var1'=>$var1, ':var2'=>$var2);
if($sqlprep->execute($ar_val)) { ... }
No, you don't need to quote prepare placeholders. Also, include the % marks inside of your variables.
LIKE ?
And in the variable: %string%
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
You can see below example
$title = 'PHP%';
$author = 'Bobi%';
// query
$sql = "SELECT * FROM books WHERE title like ? AND author like ? ";
$q = $conn->prepare($sql);
$q->execute(array($title,$author));
Hope it will work.