ansaurus

Question

What is the correct way to make a SELECT in PHP and MYSQL?

Answer 1

A:

mysql_query("SELECT * FROM LIBRO WHERE LI_TITULO like '%{$busqueda}%'",$conexion);

Edit:

You also have bug in your if statement:

if($tipo='titulo')

That's not a comparison, it's an assignment. If you want to compare, use

if($tipo==='titulo')

Saul 2010-10-26 12:08:35

That's it, thank you very much, i didn't see it. :S

Vaul 2010-10-26 12:14:04

is it ===(three equals)? or (==)two? i think it should be ==(two) equal sign.is'nt it?

riad 2010-10-26 13:27:52

In this case it's the same thing because you can't have anything else than a string to be equal to `'titulo'`. `===` will also check to see if the variables have the same type, while `==` will first convert the operands to a common type before comparing.

Alin Purcaru 2010-10-26 13:36:52

Your code is vulnerable to SQL Injection, I would strongly advise to never use in production. See the other answers for how it should be done.

HoLyVieR 2010-10-26 13:38:38

@HoLyVieR: Read the question, it was not about SQL injections or input validation. It's up to Vaul make sure $busqueda is clean.

Saul 2010-10-26 13:44:50

@riad: PHP is a weakly typed language. That means a lot of type conversion is happening behind the scenes. For example, ('test' == true) evaluates to true but ('test' === true) does not. Typesafe comparison removes the ambiguity.

Saul 2010-10-26 13:45:59

@Saul You have to be clear in your answer about that. Given the source code he provided, `$busqueca` comes from user input and it's not secured at all. Your answer is suggesting that he could use user input data directly in SQL query, which is a very bad idea.

HoLyVieR 2010-10-26 13:55:19

@HoLyVieR: My answer suggests that the variable name was incorrect and nothing else. See the 1st comment.

Saul 2010-10-26 14:17:41

Thank you a lot for the help, guys, I take care about SQL Injection and I repair the code.

Vaul 2010-10-26 15:20:37

Answer 2

+2 A:

Always do mysql_real_escape_string() on variables or some kind of filtering:

if you expect integer parse the variable

$myId = (int)$POST['id'];

if you expect string with no HTML:

$myString = mysql_real_escape_string(strip_tags($POST['string']));

And so on. Never trust user's input!!!

The best option is to use a PHP framework because all frameworks have thought of potential weaknesses and provide reliable architecture and classes/functions for common tasks, e.g. Database, User login, etc.

Some frameworks you can have a look: CakePHP, CodeIgniter, Zend Framework, Symfony

infinity 2010-10-26 12:10:50

Thank you for the suggestion. I will do it.

Vaul 2010-10-26 12:13:17

Answer 3

+2 A:

if($tipo == 'titulo'), or you'll always get true there
mysql_real_escape_string on any user input that you put in your query strings
comment your code

indent you SQL, even if it's in a PHP string. like so:

$res = mysql_query("
    SELECT * 
    FROM `libro` 
    WHERE `li_titulo` LIKE '%".mysql_real_escape_string($texto)."%'
", $conexion);

uppercase only for keywords and maybe functions. MySQL is case insensitive.

Alin Purcaru 2010-10-26 12:18:19

pls add a ' sign befor and after the % sign. example: WHERE `li_titulo` LIKE ''%'.mysql_real_escape_string($texto).'%''

riad 2010-10-26 13:25:59

Actually the other way around. The SQL string is delimited by `"`. Thanks for the heads up.

Alin Purcaru 2010-10-26 13:34:20

ansaurus

tags:

views:

answers:

What is the correct way to make a SELECT in PHP and MYSQL?

related questions