0

If I type

'

into my search bar I get a mysql error as the "sting" has not been escaped- it think.

But the reason why I cant escape it is because I dont think it currently is a string.

the search box generates search results dynamically with ajax it is as I type and it finds the results that I get the error:

    You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '%' OR Location
LIKE '%'%' OR Map LIKE '%'%' LIMIT 0, 16' at line 2

This is the mysql query:

<?php 
    if($_POST['q']!=""){
  include $_SERVER['DOCUMENT_ROOT'] . "/include/datebasecon.php";
        $result = mysql_query("
          SELECT id, Name, Location,  Map
          FROM Accommodation WHERE Name LIKE '%".$_POST['q']."%' OR Location LIKE '%".$_POST['q']."%' OR Map LIKE '%".$_POST['q']."%' LIMIT 0, 16") 
        or die(mysql_error());
        $output = "";
        while($row = mysql_fetch_array($result)){
            $N = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Name']);
            $L = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Location']);
            $M = preg_replace("/(".$_POST['q'].")/i","<span>$1</span>",$row['Map']);
            $output .= "<p>".$N." - ".$L."</p>";    
        }

        print $output;

    }
?>

Is there anyway i can fix this after its post the query maybe?

Improve this question
1
  • I don't think it currently is a string. and what is it? Commented Sep 25, 2010 at 13:43

3 Answers 3

Reset to default
3

When magic_quotes_gpc is off (as it should be!), $_POST['q'] is simply the string ', as just one character. That's why it's appearing in your SQL code like this:

%' OR Location LIKE '%'%' OR Map LIKE '%'%' LIMIT 0, 16

The error takes place at '%'%' because the LIKE string is being prematurely terminated.

You can just use mysql_real_escape_string() on $_POST['q'] and it'll be escaped:

$q = mysql_real_escape_string($_POST['q']);
$result = mysql_query("
  SELECT id, Name, Location,  Map
  FROM Accommodation WHERE Name LIKE '%".$q."%' OR Location LIKE '%".$q."%' OR Map LIKE '%".$q."%' LIMIT 0, 16") 
or die(mysql_error());
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You wrote "I dont think it currently is a string"... it is a string. You can pass it to mysql_real_escape_string() and use the result to make your query secure and reliable. Everything your script receives by the $_POST, $_GET, $_REQUEST and $_COOKIE params can be used as string, except it is an array.

Improve this answer

Comments

1

To make you understand.
Look at your query:

LIKE '%search string%'

note apostrophes you have used to delimit search string.
These apostrophes does mean that data inside IS a string.
Everything you put in quotes into query is a string.
Everything you put in quotes into query must be escaped.
No need to think, consider or estimate. The rule is simple and unambiguous: quoted text should be always escaped.

Improve this answer

1 Comment

Thank you for this, im fairly new to php, this has helped a lot

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.