What's wrong in this simple PHP SQL sentence?_问答_开发者

What's wrong in this simple PHP SQL sentence?

开发者 https://www.devze.com 2023-01-30 00:08 出处：网络

i want to recober all the users with \"blo\" in their full name, for example: \"Pablo\" I pass the \"blo\" parameter with user PHP parameter:

i want to recober all the users with "blo" in their full name, for example: "Pablo"

I pass the "blo" parameter with user PHP parameter:

$q=mysql_query("select * From user Where fullName Like '%'".$_REQUEST['user']."'%'",$link );

something is wrong in the php SQL sentence, because when i try the sentence with the argument "blo" on my SQL database, i see that the SQL sentence is correct, because it returns me correct result, this is the sentence开发者_开发知识库 with the argument "blo" on it: select * From user Where fullName Like "%blo%"

i'm sure that the PHP is receiven the "blo" parameter correctly, then, it have to be a sintax error of the SQL sentence on the PHP.... but i can't find it

EDIT : OK!! the last sentence is solved, but now i have this new sentence with the same problem, it have a error but i dont know where

$query = sprintf("SELECT u.* 
                    FROM USER u
                   WHERE u.fullName LIKE '%%%s%%' AND email NOT IN (select pp.fk_email2 from permission pp where pp.fk_email1='".mysql_escape($_REQUEST['mymail'])."') AND email NOT LIKE  '".mysql_escape($_REQUEST['mymail'])."' ",
                  mysql_real_escape_string($_REQUEST['user']));

SQL requires single quotes to indicate a string for comparison, and the wildcard character (%) must be included inside of those single quotes. Double quotes are used for column and table aliasing only, if at all.

$query = sprintf("SELECT u.* 
                    FROM USER u
                   WHERE u.fullName LIKE '%%%s%%'",
                  mysql_real_escape_string($_REQUEST['user']));

$q = mysql_query($query, $link);

Secondly, you're leaving yourself open to a SQL injection attack by not sanitizing the user request variable. Always use mysql_real_escape_string when dealing with strings being submitted to a MySQL database.

You have the quotes messed up. use this:

$q=mysql_query('SELECT * 
                FROM user
                WHERE fullName LIKE "%' . $_REQUEST['user'] . '%"',$link );

BTW, this is bad practice. You are using un-escaped input in your query and are open to SQL injection.

It looks like your quotes are off.. try something like...

$q=mysql_query("select * From user Where fullName Like '%".$_REQUEST['user']."%'",$link);

Also, you will want to make sure that the incoming param is sql-escaped to prevent sql injection. I don't know php, but it's probably something similar to...

$q=mysql_query("select * From user Where fullName Like '%".mysql_escape($_REQUEST['user'])."%'",$link);

I think it must be ... Where fullname like '%" . $_REQUEST['user']."%'"... with the % symbol inside the simple quotes.

@AndroidUser99: Change the query to --

$q = mysql_query("select * from user Where fullName like '%" . $_REQUEST['user'] . "%'", $link);

Update

I think we may need more code since none of the answers seem to be 'working'. Is the database link even being instantiated in $link? If there are errors what are they?