Programming Forums > Web Development and Design > PHP

DaWei · Nov 28th, 2005, 3:03 PM

The original post:
"SELECT * FROM customer WHERE name LIKE '$name' OR

Arevos · Nov 28th, 2005, 3:45 PM

Single quotes only matter when defining a string. ie.

$name = "Fred";
echo "Hello '$name'";  # outputs: Hello 'Fred'
echo 'Hello $name';    # outputs: Hello $name

Thus, it's likely to be something wrong with the values in k4pil's variables, since there is nothing intrinsically incorrect about the line of code he has shown.

Aside from very possibly being vulnerable to injection attacks, of course. If $name and $surname come from user input, then you may want to use mysql_real_escape_string, k4pil:

(Toggle Plain Text)

$query = "SELECT * FROM customer WHERE name LIKE '" +
   mysql_real_escape_string($name) + "' OR surname LIKE '" +
   mysql_real_escape_string($surname) + "'";

Nov 28th, 2005, 3:03 PM	#11
DaWei Resident Grouch Join Date: Jun 2005 Posts: 6,453 Rep Power: 10	The original post: "SELECT * FROM customer WHERE name LIKE '$name' OR __________________ Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code. Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Nov 28th, 2005, 3:45 PM	#12
Arevos Programming Guru Join Date: Aug 2005 Location: England Posts: 1,499 Rep Power: 5	Single quotes only matter when defining a string. ie. (Toggle Plain Text) $name = "Fred"; echo "Hello '$name'"; # outputs: Hello 'Fred' echo 'Hello $name'; # outputs: Hello $name $name = "Fred"; echo "Hello '$name'"; # outputs: Hello 'Fred' echo 'Hello $name'; # outputs: Hello $name Thus, it's likely to be something wrong with the values in k4pil's variables, since there is nothing intrinsically incorrect about the line of code he has shown. Aside from very possibly being vulnerable to injection attacks, of course. If $name and $surname come from user input, then you may want to use mysql_real_escape_string, k4pil: (Toggle Plain Text) $query = "SELECT * FROM customer WHERE name LIKE '" + mysql_real_escape_string($name) + "' OR surname LIKE '" + mysql_real_escape_string($surname) + "'"; $query = "SELECT * FROM customer WHERE name LIKE '" + mysql_real_escape_string($name) + "' OR surname LIKE '" + mysql_real_escape_string($surname) + "'";

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Web Development and Design > PHP

Simple query won't work