Page 1 of 1
Is there any wrongs in my sql query ? :\
Posted: Sun Apr 22, 2012 6:31 pm
by mekha
" SELECT * FROM $db_tb_name WHERE pages_appearance='yes' AND $db_tb_atr_name like '%".$query."%' OR thecategory='$thecat' OR pages_location='$thelocation' OR pages_price BETWEEN '$fromprice' AND '$toprice' "
Is there any wrongs in my sql query ? :\
this is my variables:
// Change the fields below as per the requirements
$db_tb_name="pages";
$db_tb_atr_name="pages_text";
$thecat = mysql_real_escape_string($_POST['selectcat']);
$thelocation = mysql_real_escape_string($_POST['location_search']);
$fromprice = mysql_real_escape_string($_POST['fromprice']);
$toprice = mysql_real_escape_string($_POST['toprice']);
//Now we are going to write a script that will do search task
// leave the below fields as it is except while loop, which will display results on screen
$query=mysql_real_escape_string($_POST['query']);
Re: Is there any wrongs in my sql query ? :\
Posted: Sun Apr 22, 2012 7:01 pm
by requinix
Code: Select all
$query=mysql_real_escape_string($_POST['query']);
Are you actually getting the query from the form?
Re: Is there any wrongs in my sql query ? :\
Posted: Mon Apr 23, 2012 2:52 am
by Weirdan
Is there any wrongs in my sql query ? :\
Do you get any errors or some wrong output?
Re: Is there any wrongs in my sql query ? :\
Posted: Mon Apr 23, 2012 3:59 am
by mekha
Yes i get it from a form..
[text]
<!--search DIV -->
<div id="search_div">
<form method="post" action="search.php">
<table border="0" width="900" id="table1" cellspacing="5" cellpadding="0" height="50">
<tr>
<td>אזור</td>
<td>קטיגוריה</td>
<td>ממחיר</td>
<td>עד מחיר</td>
<td>טקסט חופשי</td>
<td></td>
</tr>
<tr>
<td> <select name="location_search">
<?php
mysql_query("SET NAMES 'utf8'");
$result3 = mysql_query("SELECT location_id as value2,location_name as title2 FROM locations");
while($row = mysql_fetch_assoc($result3)){
extract($row);
?>
<option value="<?=$title2?>"><?=$title2?></option>
<?php
}
?>
</select></td>
<td> <select name="selectcat">
<?php
mysql_query("SET NAMES 'utf8'");
$result2 = mysql_query("SELECT Id as value,category_name as title FROM categories");
while($row = mysql_fetch_assoc($result2)){
extract($row);
?>
<option value="<?=$value?>"><?=$title?></option>
<?php
}
?>
</select></td>
<td><input type="text" name="fromprice"></td>
<td><input type="text" name="toprice"></td>
<td><input type="text" name="query"></td>
<td><input type="submit" value="חפש" style="background-color:orange; color:white; border:1px dotted white; width:100px; height:30px;"></td>
</tr>
</table>
</form>
</div>
[/text]
and yes i get wrongs...
i didnt get WHERE pages_appearance='yes'... :\..
and another question:
when i use:
BETWEEN
the field must be INT? or i can use VARCHAR and put in the VARCHAR only numbers?
Re: Is there any wrongs in my sql query ? :\
Posted: Mon Apr 23, 2012 9:38 am
by mekha
when i use:
BETWEEN
the field must be INT? or i can use VARCHAR and put in the VARCHAR only numbers?
Re: Is there any wrongs in my sql query ? :\
Posted: Mon Apr 23, 2012 12:19 pm
by x_mutatis_mutandis_x
Use whichever that column is defined as.
For example:
column BETEWEEN val1 and val2
If column is VARCHAR, val1 and val2 must be string
If column is INT, val1 and val2 must be int
Also, getting the query from a post is a bad design. The user can easily right click on your page, and click "View Source" and he/she will know your DB objects/tables