Page 1 of 1

quick question

Posted: Tue Sep 08, 2009 10:03 pm
by knightsjoker
quick question:

is it possible to do this?

$a=$_GET['a'];
$b=$_GET['b'];

$sql = "SELECT * FROM whatever WHERE '$a' LIKE '%$b%'";

Re: quick question

Posted: Tue Sep 08, 2009 10:18 pm
by Mirge
Yes, it's possible. Recommended? NO......

Escape ALL user input... assume it's malicious even. I'd recommend at the very least you run mysql_real_escape_string() on it.

Re: quick question

Posted: Tue Sep 08, 2009 10:38 pm
by knightsjoker
ah ic thanks