Is there a way using MySQL, to query a value containing a space, but as some sort of escape character? It's for an instant search engine I'm building (I'm trying to incorporate special search strings such as quotes to search for exact string).
cheers
select * from sometable where somefield like '%oh no%';
Full-text indexes are what you should use. They handle all sorts of key words/characters (such as quoting a string to get exact match, -someword for saying someword can't be in the result and +someword for saying someword has to be in the result) without having to do anything special in your code (other than changing your query a little). The database will do the search for you and return the most relevant results at the top of the query. It is really quite easy to get going too.
Mysql Manual
Using full-text searching (implementation help)
Related
I was surprised to discover that the MySQL query
SELECT * WHERE name LIKE "%AFA_";
returns rows where name is SAFARI. To get it to match on the underscore, you have to do:
SELECT * WHERE name LIKE "%AFA\_";
Is there a PHP function that can do this transition or do I have to use str_replace?
PHP has no knowledge of MySQL LIKE wildcards, nor should it.
It does, however, have a way to escape things in strings if you want, and that is str_replace.
Replace instances of _ with \_, or whatever you like.
Ultimately this question has nothing to do with MySQL.
I am implementing search in my project so I have to search data which will be in any order so I'm following this question. But my query was not working
my php query is
$cat="(?=.*Women)(?=.*Rings)";
$sql="select * from tbl_jewellery where categories RLike '$cat';";
when I change regex to Women.*Ring|Ring.*Women
It works fine but (?=.*Women)(?=.*Rings) approach is easy and can be used for multiple words just adding them.
MySQL does not implement (? syntax in REGEXPs. I think MariaDB 10.0.5 does.
For a significant subset of such queries, you could use a FULLTEXT index on that categories with this:
MATCH(categories)
AGAINST('+women +rings' IN BOOLEAN MODE)
That says both "words" occur, without limitations on order or proximity.
This is a question about string manipulation, not about database security. I am fully aware of PDO and prepared statements.
I want to prevent the word "UNION" from being inserted into my database. It's not the only one, there's a list: "EXECUTE", "DROP", etc. I'm using "UNION" as an example.
My plan is to use str_replace() on any given string (which includes full SQL statements, not just the values) and convert any occurrence of "UNION" into some other arbitary string and then insert the result into the database. E.g. "my union called a vote" would become "my #noinu# called a vote".
When the content is pulled from the database to be displayed on the front-end, any occurrences of "#noinu#" would be replaced with "union".
The words to be replaced are SQL keywords which work regardless of case so I have no case-matching on this.
The problem is that when someone enters, for example, "Union of unions" (capital U on the first word) the result that is eventually printed back out is "union of unions" with small letters.
If I try to account for uppercase, lowercase and proper case then I still miss instances like this, "uNiOn" which would still run in MySQL.
I figured some kind of regular expression would be part of the solution and then I draw a blank.
How can I identify case variations of a word (without manually defining all combinations), replace each variation with it's own custom replacement and then replace them back afterwards?
I have a strange problem with my msqli code. I copied a part of my other code and I got this:
$query=mysqli_query($mysql,"SELECT COUNT (*) AS number FROM table");
$query=mysqli_fetch_assoc($query);
$query=$query['number'];
I tought that i mistaken something but i found no problem in this code so i copy-pasted the whole other working code and it did not work, while it still worked perfectly in the other file. The query returns a boolean. Any ideas how to make it work?
Posting as a community wiki.
From the MySQL manual on functions:
"By default, there must be no whitespace between a function name and the parenthesis following it. This helps the MySQL parser distinguish between function calls and references to tables or columns that happen to have the same name as a function. However, spaces around function arguments are permitted."
http://dev.mysql.com/doc/refman/5.7/en/functions.html
A: Remove the space from COUNT (*) => COUNT(*).
COUNT() is an aggregate "function".
And just for argument's sake; table is a MySQL reserved word, should that be its actual name.
https://dev.mysql.com/doc/refman/5.5/en/keywords.html
If you wish to still use that name (should it be the case), wrap it in ticks:
SELECT COUNT(*) AS number FROM `table`
Check for errors on the query:
http://php.net/manual/en/mysqli.error.php
Plus, using the same $query variable, is bad practice.
Also make sure you're using the same MySQL API to connect with, being mysqli_ and not a different one.
INSERT INTO expense (date,desc,price,out,method)
VALUES ('$time','$desc','$price','$out','$method');
What is wrong in the MySQL statement above? I have checked all the other stuff in my code but only this seems to be buggy.
I am passing this statement to mysql_query() function in PHP. It gives me an error and does not insert the data in the row.
All the variables above are also present.
So what could be the problem?
desc is keyword in SQL (order by `key` desc). You cannot use barewords which are also keywords in SQL. In this case, you should escape desc with ` symbol (like `desc`). date is also keyword, but MySQL decided to allow it's incorrect usage because of common usage before making it keyword. But not every database engine allows this, so be careful.
But, it's good practice to actually quote all keys, even if it's not needed - this way you could protect against adding keywords in SQL which would break your queries.
ORDER BY
List of keywords (in MySQL)
'date' is a MySQL keyword (for the date field type). You should enclose the field name with backticks like this:
INSERT INTO expense (`date`,desc,price,out,method)
(I think the other fields are fine, but you could add backticks to those as well if you like)