I'm trying to search an element into two different column of a MySQL database. The first may match the searchedObject the second may contain it (the column contain text). I'm using PHP
The page return me an error :
Parse error: syntax error, unexpected ')' in C:\wamp\www\v2\header.php on line 9
Here is my request
"SELECT * FROM corporate WHERE (columnA = " . $_GET["searchedObject"]) . " OR (columnTextedB LIKE '%" . $_GET["searchedObject"] . "%' )";
Any idea to save my night :o ?
The error is pretty clear on what you have done wrong...
$_GET["searchedObject"])
Move that )... into
") OR (columnTextedBLIKE '%"
PS. this code is very vulnerable to sql injection attacks
The syntax error is a problem in your PHP:
"SELECT * FROM cim_corporate WHERE (columnA = " . $_GET["searchedObject"]) . " OR (columnTextedBLIKE '%" . $_GET["searchedObject"] . "%' )";
Note that you close a bracket that is never opened in PHP. Try:
"SELECT * FROM cim_corporate WHERE (columnA = " . $_GET["searchedObject"] . ") OR (columnTextedBLIKE '%" . $_GET["searchedObject"] . "%' )";
However please do not use $_GET variables directly in queries. A malicious user can then add all sorts of nasty stuff to your query.
Related
This headache of a sql massage thrwos no error, but the $zvv variable is not being inserted properly in the query, it is like affecting the result as if it is "" nothing BUT it does have a valid string value, but it is not getting into the query.
See any problem with this sql?
$sqlQuery = " SELECT * FROM tbl_staff WHERE status =' " . $zvv . " ' limit
" . ($lowerLimit) . " , " . ($perPageCount) . " ";
Try this:
"SELECT * FROM tbl_staff WHERE status='$zvv' LIMIT
$lowerLimit , $perPageCount ";
Should do the trick.
You have spaces in your concatenation. Also if you use double quotes, the content of the variable will be printed out.
$sqlQuery = "
SELECT *
FROM
tbl_staff
WHERE
status ='$zvv'
LIMIT
$lowerLimit , $perPageCount ";
You have spaces in your query:
$sql = " SELECT * FROM tbl_staff WHERE status =' " . $zvv . " ' limit " . ($lowerLimit) . " , " . ($perPageCount) . " ";
-----^ -----^
So if $zvv has a value of 'abc' you're using it in the query as status=' abc ' which, because of the spaces, isn't the same. Cleaned up result, this is how I prefer to write it:
$sqlQuery = "SELECT * FROM tbl_staff
WHERE status='". $zvv ."'
LIMIT ". $lowerLimit.",".$perPageCount;
Thanks, got 2 birds with one stone here, some of this oughta work better than my current query, and prepared statements seem like a good permanent way to get past wrestling characters with this trial and error approach and that more safely from SQL injection risk.
That error was holding up the rest of the routine in a deceptive manner where it seemed to work until I looked closer, as this is the first time I messed with AJAX and pagination.
This advice oughta save some real sql-roulette headache time immensely in the future, it is pretty finicky but I understand why now.
Thanks everyone.
This question already has answers here:
Search Form with One or More (Multiple) Parameters
(2 answers)
Closed 7 years ago.
I am trying to create a database with multiple fields for searching but it is displaying the entire database if there is an empty field. i suspect it is because of the OR's in the query and i am not sure how to fix it.
<?php
if (isset($_POST['Submit']))
{
$con = mysqli_connect();
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$surname = $_POST['surname'];
$firstname = $_POST['firstname'];
$maiden = $_POST['maiden'];
$birth = $_POST['birth'];
$death = $_POST['death'];
$keyword = $_POST['keyword'];
$sql = "SELECT * FROM obits WHERE surname LIKE '%" . $surname . "%' OR firstname LIKE '%" . $firstname . "%' OR maiden LIKE '%" . $maiden . "%' OR birth LIKE '%" . $birth . "%' OR death LIKE '%" . $death . "%' OR obittext LIKE '%" . $keyword . "%'";
$result = mysqli_query($con, $sql);
further down i have this:
if (isset($result) && $result->num_rows > 0);
then follows the table etc. i think i have all the pertinent info here. any suggestions? please use english rather than programmer, i am quite new at this. thanks in advance!
Let's look at one of the conditions:
surname LIKE '%" . $surname . "%'
Assuming, $surname is Miller here, you select all rows that have a surname like %Miller%. The % signs are wildcards, which can basically stand for anything. This means you are selecting all rows where the surname contains Miller with any string before or after it, including empty ones.
Now, if Miller would be empty in this case, you are looking for %%, so an empty string with anything before or after it -- so really any possible string. As a result, every row will be selected.
Since this is true not only for the surname, but for any of the columns, leaving any of the criteria blank will result in all rows being selected.
Find more info on SQL Wildcards.
To skip empty values in your where clause, you can build it dynamically:
$condition = "WHERE";
if(!empty($surname)){
$condition .= "surname LIKE '$surname' OR";
}
if(!empty($firstname)){
$condition .= "firstname LIKE '$firstname' OR";
}
// ...
$sql = "SELECT * FROM obits " . $condition;
Note:
There will be a trailing OR in the condition that you will have to remove.
If all conditions are blank, this will also lead to an error.
But it should give you an inpiration! :-)
Side Note:
You should look into prepared statements. Passing POST variables directly into an SQL statement is highly dangerous.
I don't understand why this doesn't work. I have the following contents in sowner : " 6 4 7 " without the quotes, but with all the spaces including in the beginning and the end. That's the sowner value of a row in the DB.
I have row id which I transform into a string of this form (id is 4) " 4 " then search for it inside sowner to see if it's there. No results returned.
Here is my code:
$sql = 'SELECT * FROM `services` WHERE `sowner` LIKE ?';
$stmt = $conn->prepare($sql);
if($stmt === false) {
trigger_error('Wrong SQL: ' . $sql . ' Error: ' . $conn->errno . ' ' . $conn->error, E_USER_ERROR);
}
$spacedid = " " . strval($row['id']) . " ";
$stmt->bind_param('s', $spacedid);
$stmt->execute();
$res3 = $stmt->get_result();
The purpose is to have an undefined number of people's ids in a string separated by spaces and only showing stuff to people if their id is inside the services sowner field.
I am positive it's the LIKE because if I remove the WHERE, all rows show up.
Also I'm using the same implementation in a on-type search suggestion form like this
SELECT * FROM `users` WHERE username LIKE ?
you need to add the wildcard operators to the like
so the statement becomes more like
SELECT * FROM `users` WHERE username LIKE '% 6 %'
change the line
$spacedid = " " . strval($row['id']) . " ";
to
$spacedid = "% " . strval($row['id']) . " %";
i have a simple search box but I am trying to avoid the result page returning all results in table when the query is %. how can that be done?
I think you want to use \%...
In your PHP,
$query = str_replace ( '%' , '\%' , $query )
$sql = "SELECT * FROM table WHERE column LIKE '%" . mysqli_real_escape_string($query) . "%'"
Are you sanitizing your inputs?
You can start with mysqli_real_escape_string()
$query = "SELECT * FROM table WHERE column LIKE '" . mysqli_real_escape_string($input) . "'";
I apologize if this question has come up before, but I've looked and only found people who are only concerned with the actual result returned by
mysql_query($query);
I'm making a php/mysql page with ajax for a project where the user can create a database and perform a search by interacting with a few select boxes. I would also like to be able to print out the actual query generated by the php, just for testing.
if($dArray[0] == 'sb2a'){
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] + "\'";}
print($sql);
It just prints 0 rather than something like
"SELECT * FROM Vehicles WHERE VID = '01'"
Any help would be greatly appreciated.
Near the end of your line of code setting the value for $sql:
. $dArray[2] + "\'";
That + should be a .
if($dArray[0] == 'sb2a')
{
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] . "\'";
}
print($sql);
To concatenation we should always use '.'
Query should be like this.
$sql = "SELECT * FROM Vehicles WHERE {$dArray[1]} = '{$dArray[2]}'";