0

I have some code which generates a MySQL query string called $query:

$query = "select * from Surveys where surveylayoutid='$surveyid' and customerid='" . $_SESSION['login_customerid'] . "' and (";
$clue = $_POST['postcode'];
$onwhat="Postcode";
$query .= $onwhat . " like '%$clue%') order by id desc";
$result = mysql_query($query, $connection) or die(mysql_error());

This returns something like:

select * from Surveys where surveylayoutid='12' and customerid='1' and (Postcode like '%dn%') order by id desc

which works fine. I've then altered the code because I want to search on more fields so it now reads:

$remap = array("Postcode", "Street", "HouseNum", "District", "Town");
$query = "select * from Surveys where surveylayoutid='$surveyid' and customerid='" . $_SESSION['login_customerid'] . "' and (";
for ($i=0; $i<=4; $i++) {
 if ($_POST[strtolower($remap[$i])]!="") {
  $clue = $_POST[strtolower($remap[$i])];
  $query .= $remap[$i] . " like '%$clue%') order by id desc";
  break;
 }
}

This also returns:

select * from Surveys where surveylayoutid='12' and customerid='1' and (Postcode like '%dn%') order by id desc

which on the face of it is identical but it generates this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'like '%dn%' order by id desc' at line 1

In both cases $query contains the same "text" but for some reason isn't treated as a valid MySQL query in the updated code, can anyone tell me why?

Improve this question
13
  • careful, your code is vulnerable to SQL injection. if you do not know what this is, or what to do about it, read this : bobby-tables.com Commented Oct 21, 2015 at 8:40
  • Do you mind showing the outputs? I mean all the outputs Commented Oct 21, 2015 at 8:44
  • i can hardly believe that SQL would trip over the exact same query it can otherwise sucessfully execute. are you sure those are the exact outputs of both methods? Commented Oct 21, 2015 at 8:46
  • Yes I copied the output and pasted it into notepad to compare the query strings in both instances and they are identical Commented Oct 21, 2015 at 8:48
  • the ' at '% are the correct ' ? (only want to make sure as its always hard to sicern there). one additional question there though: surveylayoutid and customerid both ahve ' ' in their checks are those string values? if not then the ' ' are not needed and should be removed. Commented Oct 21, 2015 at 8:54

2 Answers 2

Reset to default
1

One possible problem could be the interpretation of the content here. If you use:

  $query .= $remap[$i] . " like '%$clue%') order by id desc";

All that is inside "" gets to be interpreted. Thus there could be unwanted side effects that you don't see at first glance and can explain what is happening. To avoid this it would have to be changed to:

$query .= $remap[$i] . ' like ' . "'" . '%' . $clue . '%' . "') order by id desc";

Even though more clunky in terms of how big it is, it makes sure that $lue and also the % are not interpreted as all in between ' ' is not interpreted.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Not 100% sure so not adding it as answer but it could be that the %dn is interpreted there. has been a while since I last coded php but if I remember cforrectly %d is to indicate integers so that COULD be the reason why " " has problems there. One additional thing though as far as I'm aware mysql_query is deprecated and you should switch to mysql_i functions
0

See if this help you solve your problem?

$remap = array(
    "Postcode",
    "Street",
    "HouseNum",
    "District",
    "Town"
);

for ($i = 0; $i <= 4; $i++)
    {
    if ($_POST[strtolower($remap[$i]) ] != "")
        {
        $query = "select * from Surveys where surveylayoutid='12' and customerid='1' and (";
        $clue = $_POST[strtolower($remap[$i]) ];
        $query.= $remap[$i] . " like '%$clue%') order by id desc";
        $query_done[] = $query;
        unset($query);
        $result = mysql_query($query_done[$i], $connection) or die(mysql_error());

        // Display your result here

        }
    }

I tried changing your code abit, and it seems the result is something like this

select * from Surveys where surveylayoutid='12' and customerid='1' and (Postcode like '%Postcode%') order by id descselect * from Surveys where surveylayoutid='12' and customerid='1' and (Street like '%Street%') order by id descselect * from Surveys where surveylayoutid='12' and customerid='1' and (HouseNum like '%HouseNum%') order by id descselect * from Surveys where surveylayoutid='12' and customerid='1' and (District like '%District%') order by id descselect * from Surveys where surveylayoutid='12' and customerid='1' and (Town like '%Town%') order by id desc
Improve this answer

7 Comments

It returns: array(1) { [0]=> string(110) "select * from Surveys where surveylayoutid='12' and customerid='1' and (Postcode like '%dn%') order by id desc" } You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Slightly different, it now returns You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
I assume, one of the post is empty, causing such error. Let me re-edit again
If I change the query to: $remap[$I] . "='$clue') instead of $remap[$I] . " like '%$clue%') it works, so is the issue with "like" ?
if the original sql worked then that is quite strange. what datatype is postcode? I would guess cahr or varchar that means then that it should be possible to do blahblah like '%myInnerText%' . which mysql version is it?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.