We're a community of 1.1M IT Pros here for help, advice, solutions, professional growth and fun. Join us!
1,080,445 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Start New Discussion Reply to this Discussion
Ad: Cisco Servers-unparalleled performance
11 Months Ago
0

Querying with user input

Hello all,

How many ways are there to put variables into a query?
The reason I ask is that I cannot get

"SELECT * FROM locations WHERE title LIKE '%".$input."%'";

The "SELECT * FROM locations" query only does give me the full table but using that input variable substitution (from an input field) kills my query and returns nothing. (yes the tables are full and contain matches haha)

How can I get this to work with POST data, and what other methods can us noobs use to add variables to our queries?

I've seen:

:variable , {'$variable'} , "%'.$input.'%" , ('$searchquery') etc

I'm sure there is more but I'm sure this will be educational to see WHY we would use the differences. Thanks!

4
Contributors
5
Replies
1 Day
Discussion Span
11 Months Ago
Last Updated
6
Views
webenveloper
Newbie Poster
3 posts since Jul 2012
Reputation Points: 0
Solved Threads: 0
Skill Endorsements: 0
11 Months Ago
0

"SELECT * FROM locations WHERE title LIKE '%".$input."%'";

The "SELECT * FROM locations" query only does give me the full table but using that input variable substitution (from an input field) kills my query and returns nothing. (yes the tables are full and contain matches haha)

Just check whether $input is set or not. If you are trying to get values from POST data, try using $_POST['field_name'] directly just to make sure you are getting POST values and check whether you are assiging $_POST['field_name'] to $input

niranga
Junior Poster
192 posts since Apr 2010
Reputation Points: 21
Solved Threads: 26
Skill Endorsements: 0
11 Months Ago
0

Hi. Assuming that you have $_POST variable called "what" for example that you want to use in your query,
it's a good idea to check if it is set first and the assign it to another variable e.g. $var_what. so...

if isset($_POST['what']){
    $var_what = $POST_['what'];
}

and then you can include that variable in the mySQL query.

   SELECT * FROM locations WHERE title LIKE '%{$var_what}%'";
Marcus mouse
Light Poster
40 posts since May 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
11 Months Ago
1

:variable

Definitely preferred (or ?), because it indicates that you are using bound parameters. That drastically decreases the change of an SQL injection. The other three rely on variable insertion, which need decent validation before using them.

pritaeas
Posting Prodigy
Moderator
9,534 posts since Jul 2006
Reputation Points: 1,194
Solved Threads: 1,494
Skill Endorsements: 98
11 Months Ago
0

Thanks everyone. I did test to see if the POST was working BTW. You know what my problem was....? Charset... It wasn't UTF8. I learned a valuable lesson on this one.

Does anyone have any resources to understand more about bound parameters? I still don't understand much about these insertions.

Thanks!

webenveloper
Newbie Poster
3 posts since Jul 2012
Reputation Points: 0
Solved Threads: 0
Skill Endorsements: 0
11 Months Ago
0

Have a question on the same subject. Inserting POST data into a PDO prepared statement obviously doesn't work the same way. Any advice on how to make input data like I mentioned above pass to PDO SQL?

$sql = "SELECT * 
FROM beaches 
WHERE 
(title LIKE '%".$input."%') 
OR 
(address LIKE '%".$input."%')";

$stmt = $pdo->prepare($sql);

$stmt->execute( array() );

$results =  $stmt->fetchAll( PDO::FETCH_ASSOC );

Is this an instance where you must use :$input ? And why?

webenveloper
Newbie Poster
3 posts since Jul 2012
Reputation Points: 0
Solved Threads: 0
Skill Endorsements: 0

This article has been dead for over three months: Start a new discussion instead

Post: Markdown Syntax: Formatting Help
 
You
Web Development > PHP
View similar articles that have also been tagged:
 
© 2013 DaniWeb® LLC
Page generated in 0.0761 seconds using 2.68MB