Is there any wrongs in my sql query ? :\

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mekha
Forum Contributor
Posts: 112
Joined: Sat Mar 31, 2012 6:50 am

Is there any wrongs in my sql query ? :\

Post by mekha »

" SELECT * FROM $db_tb_name WHERE pages_appearance='yes' AND $db_tb_atr_name like '%".$query."%' OR thecategory='$thecat' OR pages_location='$thelocation' OR pages_price BETWEEN '$fromprice' AND '$toprice' "
Is there any wrongs in my sql query ? :\

this is my variables:
// Change the fields below as per the requirements
$db_tb_name="pages";
$db_tb_atr_name="pages_text";
$thecat = mysql_real_escape_string($_POST['selectcat']);
$thelocation = mysql_real_escape_string($_POST['location_search']);
$fromprice = mysql_real_escape_string($_POST['fromprice']);
$toprice = mysql_real_escape_string($_POST['toprice']);
//Now we are going to write a script that will do search task
// leave the below fields as it is except while loop, which will display results on screen


$query=mysql_real_escape_string($_POST['query']);
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Is there any wrongs in my sql query ? :\

Post by requinix »

Code: Select all

$query=mysql_real_escape_string($_POST['query']);
Are you actually getting the query from the form?
Last edited by requinix on Mon Apr 23, 2012 9:03 am, edited 1 time in total.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Is there any wrongs in my sql query ? :\

Post by Weirdan »

Is there any wrongs in my sql query ? :\
Do you get any errors or some wrong output?
mekha
Forum Contributor
Posts: 112
Joined: Sat Mar 31, 2012 6:50 am

Re: Is there any wrongs in my sql query ? :\

Post by mekha »

Yes i get it from a form..
[text]
<!--search DIV -->
<div id="search_div">
<form method="post" action="search.php">


<table border="0" width="900" id="table1" cellspacing="5" cellpadding="0" height="50">
<tr>
<td>אזור</td>
<td>קטיגוריה</td>
<td>ממחיר</td>
<td>עד מחיר</td>
<td>טקסט חופשי</td>
<td></td>
</tr>
<tr>
<td> <select name="location_search">



<?php
mysql_query("SET NAMES 'utf8'");
$result3 = mysql_query("SELECT location_id as value2,location_name as title2 FROM locations");
while($row = mysql_fetch_assoc($result3)){
extract($row);
?>
<option value="<?=$title2?>"><?=$title2?></option>
<?php
}
?>
</select></td>
<td> <select name="selectcat">



<?php
mysql_query("SET NAMES 'utf8'");
$result2 = mysql_query("SELECT Id as value,category_name as title FROM categories");
while($row = mysql_fetch_assoc($result2)){
extract($row);
?>
<option value="<?=$value?>"><?=$title?></option>
<?php
}
?>
</select></td>
<td><input type="text" name="fromprice"></td>
<td><input type="text" name="toprice"></td>
<td><input type="text" name="query"></td>
<td><input type="submit" value="חפש" style="background-color:orange; color:white; border:1px dotted white; width:100px; height:30px;"></td>
</tr>
</table>
</form>
</div>
[/text]

and yes i get wrongs...

i didnt get WHERE pages_appearance='yes'... :\..
and another question:
when i use:
BETWEEN
the field must be INT? or i can use VARCHAR and put in the VARCHAR only numbers?
mekha
Forum Contributor
Posts: 112
Joined: Sat Mar 31, 2012 6:50 am

Re: Is there any wrongs in my sql query ? :\

Post by mekha »

when i use:
BETWEEN
the field must be INT? or i can use VARCHAR and put in the VARCHAR only numbers?
x_mutatis_mutandis_x
Forum Contributor
Posts: 160
Joined: Tue Apr 17, 2012 12:57 pm

Re: Is there any wrongs in my sql query ? :\

Post by x_mutatis_mutandis_x »

Use whichever that column is defined as.

For example:
column BETEWEEN val1 and val2

If column is VARCHAR, val1 and val2 must be string
If column is INT, val1 and val2 must be int

Also, getting the query from a post is a bad design. The user can easily right click on your page, and click "View Source" and he/she will know your DB objects/tables
Post Reply