So i am trying to do a LIKE query and get some results but the text that i pass has some special characters that break the query.
if we assume that the text is something like this:
var test `select` `query`="$newval + "dsadsa$ ? "$test ?
and i also have exactly the same text inside a column as VARCHAR
and then executing the query
SELECT * FROM table WHERE column LIKE '%$text%'
says that there is no rows to return.
EDIT: when i post the data inside the database i simply use mysql real escape string and when i show the text where i click to search i put htmlentities on the text
then i substr it from 0 to 50 and do the search query
You can use mysql_real_escape_string() which will escape any special characters in your string.
Try to avoid writing variables directly into string, it may cause problems (+ it's really not nice):
mysql_query("SELECT * FROM table WHERE column LIKE '%" . $text . "%'");
Of course make sure that the $text variable is really correct (echo $text), characters escaping may cause problems too and of course there can be many other things causing problems (this depends on architecture of your application - where you work with $text).
Related
I'm trying to do a search in the database with special characters, specifically string with apostrophe.
For example, I want to search for the string: "Sandy's dog", but I just entered "sandys dog" leaving out the apostrophe. Even though "Sandy's dog" exists in the database, it doesn't seem to show it in the results.
Here's my query:
SELECT * FROM `Table` WHERE `Title` LIKE '%sandys dog%'
I have searched everywhere and I can't seem to find a solution that works.
EDIT
Limitations: the string is user generated
Notes:
- If a user searches for sandy's dog with the apostrophe, it works fine as expected.
- Ultimately I would like to get all possible results, if the table contains both strings with and without apostrophe.
In SQL server, you can use REPLACE:
SELECT *
FROM Table
WHERE REPLACE(Title, '''', '') LIKE '%sandys dog%'
The double-apostrophe inside the string is an escape character, so it finds any apostrophes in the string and replaces them with blank strings.
Please try using escape sequences.
http://dev.mysql.com/doc/refman/5.7/en/string-literals.html
Something like, SELECT * FROM Table WHERE Title LIKE '%sandy\'s dog%'
How about this?
SELECT * FROM Table WHERE Title LIKE '%sandy''s dog%'
or
SELECT * FROM Table WHERE Title LIKE '%sandy_s dog%'
The underscore is a "single character" wildcard.
I want to fetch a spare part from MySql (yii framework). Some part titles contain ', for
ex.: OUTLANDER '03-06
For securty reason i encode query string parameter thru htmlspecialchars() (converts special characters to HTML entities) to become query like this:
SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER '03-06 %"
LIMIT 0 , 10
yet this yields an empty result.
While if i only escape ' by addign slash, such a query works:
SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER \'03-06 %"
LIMIT 0 , 10
What's the problem? Do i still need to apply htmlspecialchars() to input parameters to make them safe HTML entities cause of security reasons, what would be a solution?
I think you have to use " mysql_real_escape_string() " instead.
Ref: http://www.w3schools.com/php/func_mysql_real_escape_string.asp
The function htmlspecialchars() does not meant to escape string in queries. You should use one of these functions:
mysqli_prepare
mysqli_real_escape_string
addslashes
I have a MySQL database with a column containing part numbers. Some of the part numbers contain spaces:
3864205010 J
When I query the database or search for the part in phpMyAdmin no results are returned.
Yet when I delete the 2 spaces and then type them again, the search returns a result.
This query does not return a result:
SELECT *
FROM `parts`
WHERE `part_no` LIKE '3864205010 K'
This query returns the result:
SELECT *
FROM `parts`
WHERE `part_no` LIKE '3864205010 K'
They look the same but in the second query I have deleted the 2 spaces before "K" and typed the spaces again.
If you can use wildcard instead of spaces:
SELECT *
FROM `parts`
WHERE `part_no` LIKE '3864205010%K'
This is probably not a space but a HTAB (ascii code 9) or even a line feed/carriage return (10 and 13). Copy paste in a good text editor, you'll see what it really is.
Now, regarding to your wonder about why it doesn't work even if it does look like a space, this is because every single character we see is interpreted by the engine (notepad, phpmyadmin, firefox... any software with text rendering)
What actually happens is that when the engine finds an ascii code, it transforms it into a visible character. The CHAR(9) for example is often transformed into a 'big space' usually equal to 2 or 4 spaces. But phpmyadmin might just decide to not do it that way.
Other example is the line feed (CHAR(10)). In a text editor it would be the signal that the line ends, and (under unix systems mostly) a new line has to start. But you can copy this line feed into a database field, you're just not sure about how it is going to render.
Because they want you to see everything in the cell they may choose to render it as a space... but that's NOT a space if you look at the ascii code of it (and here there's no trick, all rendering engines will tell you the right ascii code).
This is important to always treat characters with their ascii codes.
there's an answer above that suggests using a wildcard instead of the spaces. That might match, or just might not. Let's say your string is '386420K5010', so it is not the one you're looking for, still the LIKE '3864205010%K' pattern would return it. The best is probably to use a regular expression or at least identify the fixed pattern of these strings.
yes as updated question if you wish to remove more space between which contents might be 3 or 4 space below query will use full to you
SELECT REPLACE( REPLACE( part_no, " ", " " ), " ", " " ) from parts.
let me know if it is work for you ?
SELECT *
FROM `parts`
WHERE REPLACE(REPLACE(`part_no`, CHAR(9), ''),' ','') LIKE REPLACE(REPLACE('3864205010 K', CHAR(9), ''),' ','')
This will probably work if part_no and/or search string has tabs and/or spaces.
I'm using codeigniter, and what I do is basically:
$val = $this->db->call_function('real_escape_string', $this->input->post('name'));
this is all I do on data before putting into database. And when someone enters value like O'hara, in database it will appear like O\'hara
So, I guess I can string slashes on output, but is this usual way of escaping and storing data in database?
SOLVED
Active Records escapes the query, so I do double escaping, with 'real_escape_string' function as well
So I guess I don't need to use real_escape_string at all, active records does this
The '\' is called an escape character and must be used so the next character after it (in your case ') won't interfere with the SQL statement. However, if you're using CI, it should take care of all of this for you. There's an 'HTML helper' that I believe you can use to format or take out the slashes on outputted text. Even then, but I could be wrong, when outputting values from a DB in CI, the slashes will automatically be stripped.
Escaping quotes and special characters is both regular practice and expected for record storage as it helps to ensure that your code can be accurately stored and extracted.
Escaping the strings for the SQL query is so that you can get the actual values into the database.
The value in the SQL query will look like O\'hara but the value that ends up in the database is O'hara.
So, you don't have to do anything at all when you display the value. Except escaping it for the environment where you display it of course. If it's displayed in a HTML document, you would HTML encode it. This will not change the apostrope ('), but it will change other characters, like < and >.
use directly
$val = real_escape_string($this->input->post('name'));
In a database, I have some text stored in a field call Description, the value of the string saved in my database is Me\You "R'S'" % and thats how it appears when querying the database command line.
Now, on a web page i have a function which searches this field as such:
WHERE Description LIKE '%$searchstring%'
So when $searchstring has been cleaned, if i was searching for Me\You, the backslash gets escape and my query reads:
WHERE Description LIKE '%Me\\You%'
However it doesn't return anything.
Strange part of this, is that when i search Me\\You or Me\\\You (So two or three backslashes, but no less or no more) it will return the result i expect with one backslash.
When querying for the result command-line, it does not return a result for:
WHERE Description LIKE '%Me\You%'
or when i use two or three backslashes.
However it will return the result if i use 4 - 7 backslashes, for example:
WHERE Description LIKE '%Me\\\\\\\You%'
will return the string which is Me\You "R'S'" %
Anyone have a reason to this happening? Thanks
Note
Because MySQL uses C escape syntax in strings (for example, “\n” to represent a newline character), you must double any “\” that you use in LIKE strings. For example, to search for “\n”, specify it as “\\n”. To search for “\”, specify it as “\\\\”; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against.
Source: http://dev.mysql.com/doc/refman/5.1/en/string-comparison-functions.html#operator_like
Read this Need to select only data that contains backslashes in MySQL to see how to use double backslash escaping. You could also run MySQL in NO_BACKSLASH_ESCAPES mode (http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html#sqlmode_no_backslash_escapes)
Although an old post, you can bypass this limitation using replace function to change backslash to another character: something like this in the WHERE clause. EXAMPLE:
WHERE replace('your field here', '\', '-') like "You-Me%"