ansaurus

Question

Answer 1

+2 A:

Please don't do this, it is vulnerable to SQL injection (this is a list of 138 StackOverflow questions you should read, absorb and understand prior to returning to your application). Use parametrized queries or stored procedures.

Cade Roux 2009-12-03 22:58:21

I am afraid I have no idea what this means, I am more than a newbie at this :(

skarama 2009-12-03 22:59:13

This doesn't really help, at all.

Jeffrey Aylesworth 2009-12-03 22:59:15

+1: Someone took offense to being warned about bad practices :/

OMG Ponies 2009-12-03 23:00:02

Warning about bad practices is useless to a newbie if you don't explain what you're talking about and help show how to fix it.

ceejayoz 2009-12-03 23:03:48

Thank you, I will definitely give it a read :)

skarama 2009-12-03 23:08:49

Answer 2

+2 A:

Use:

$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '{$variable}'" ;

To get an idea of why to prevent SQL injection attacks, like the above would be vulnerable to, I submit "Exploits of a Mom":

alt text

OMG Ponies 2009-12-03 22:58:50

I get the idea but, the fields tablename and columnname aren't actual fieldnames, I changed the real ones. Or am I getting wrong? And I'm not taking offense, I'm quite happy I'm getting so many quick answers!

skarama 2009-12-03 23:04:27

skarama: He means that you shouldn't create SQL queries using strings to enter parameters. By doing that, you're giving your users full access to your database (with the same permissions as your webserver).

Mark Byers 2009-12-03 23:08:57

@Skarma: The point of SQL Injection attack is that it artificially terminates the string parameter you're attempting to populate, and then submit a second query immediately afterwards that is likely to be malicious. Doesn't matter what happens in the first query.

OMG Ponies 2009-12-03 23:10:14

-1 for a non-working query. The variable won't be evaluated in a single-quoted string, it needs single quotes around the variable itself, and you're missing the wildcards the user requested.

ceejayoz 2009-12-03 23:13:16

Updated to correct variable access.

OMG Ponies 2009-12-03 23:19:19

Downvote removed. :-)

ceejayoz 2009-12-03 23:27:29

Thank you everyone, I will also take a look at SQL Injection attacks and try to learn how to prevent it :)

skarama 2009-12-04 00:20:58

Answer 3

+7 A:

Ultimately, what I want, is to be able to make a search for which the search-term is the current page's url, with wildcards before and after.

The SQL wildcard character is a percent sign. Therefore:

$variable = curPageURL();
$variable = mysql_real_escape_string($variable);
$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '%{$variable}%'";

Note: I've added in an extra bit of code. mysql_real_escape_string() will protect you from users deliberately or accidentally putting characters that will break your SQL statement. You're better off using parameterised queries, but that's a more involved topic than this simple fix.

Also note: I've fixed your string quoting, too. You can only use a variable in a string directly if that string is double quoted, and you were missing a quote at the end of $query.

ceejayoz 2009-12-03 23:02:58

THANK YOU! You're a savior, thank you so much! I just noticed your edit, this is what I hadn't done!!It works fine now, thanks so much, and this site is definitly favorited.

skarama 2009-12-03 23:16:07

+1: And I appreciate the comment regarding the downvote.

OMG Ponies 2009-12-03 23:24:30

Answer 4

+1 A:

Use double quotes if you need to substitute variable values:

## this code is open for SQL injection attacks
$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '$variable'";

Or concat string manually:

## this code is open for SQL injection attacks
$query = 'SELECT * FROM `tablename` WHERE `columnname` LIKE "' . $variable . '"';

Ivan Nevostruev 2009-12-03 23:05:27

Answer 5

A:

Edit: Removed the additional code since the answer was simply a missing "

Thanks everyone!

skarama 2009-12-03 23:13:20

You can accept an answer by clicking the checkbox by it.

ceejayoz 2009-12-03 23:26:10

Thanks for letting me know!

skarama 2009-12-04 06:53:15

Answer 6

A:

As to why you're not being notified of the syntax error: It's fairly likely that your error reporting settings aren't set up correctly.

Open php.ini and make sure the following is set:

display_errors = On

And:

error_reporting = E_ALL

Paul Lammertsma 2009-12-03 23:19:03

Answer 7

A:

Your code is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query string. Instead, it must first be sanitized with a function such as mysql_real_escape_string().

streetparade 2009-12-03 23:36:29

ansaurus

tags:

views:

answers:

LIKE operator with $variable

related questions