WHERE alternative??

This is a discussion on WHERE alternative?? within the PHP Language forums, part of the PHP Programming Forums category; hi guys, first of all i'm really new to php so i apologize ahead of time if this is ...


Go Back   Usenet Forums > PHP Programming Forums > PHP Language

Reload this Page WHERE alternative??

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-20-2005
kiqyou_vf
 
Posts: n/a
Default WHERE alternative??
hi guys, first of all i'm really new to php so i apologize ahead of
time if this is a noob question.

ok, so i purchased and read the PHP for the Wolrd Wide Web by Larry
Ullman and started to write my own script. im trying to write a script
that searches through a company name column (co_name) and returns the
row- simple. here is a snippet:

if (isset ($_GET['search'])){
$query="SELECT * FROM gcbd WHERE co_name='{$_GET['co_search']}' ";
$executequery=mysql_query($query);
$retrieverow=mysql_fetch_array($executequery);
print "<br /><strong>phone:&nbsp;</strong>" .
$retrieverow['phone_num'] . "<br /><strong>company
name:&nbsp;</strong>" . $retrieverow['co_name'] ."<br /><strong>Company
adress:</strong>&nbsp;" . $retrieverow['addy'] . "<br />";

}else{
print "nothing is here";
}



what im trying to do is have the query return a row if ANY word in
co_name matches $_GET['co_search'] but i cant seem to do that with
WHERE (or WHERE alone). this snippet only returns a row if
$_GET['co_search'] matches EXACTLY what is entered in the co_name
column, which is not what i want. i've searched through the mysql
reference manual but it was difficult for me to find nything i could
understand easily in there. so if anyone could help a brotha out, thatd
be greatly appreciated. thanks!

Reply With Quote
  #2 (permalink)  
Old 02-20-2005
News Me
 
Posts: n/a
Default Re: WHERE alternative??
kiqyou_vf wrote:
> hi guys, first of all i'm really new to php so i apologize ahead of
> time if this is a noob question.
>
> ok, so i purchased and read the PHP for the Wolrd Wide Web by Larry
> Ullman and started to write my own script. im trying to write a script
> that searches through a company name column (co_name) and returns the
> row- simple. here is a snippet:
>
> if (isset ($_GET['search'])){
> $query="SELECT * FROM gcbd WHERE co_name='{$_GET['co_search']}' ";
> $executequery=mysql_query($query);
> $retrieverow=mysql_fetch_array($executequery);
> print "<br /><strong>phone:&nbsp;</strong>" .
> $retrieverow['phone_num'] . "<br /><strong>company
> name:&nbsp;</strong>" . $retrieverow['co_name'] ."<br /><strong>Company
> adress:</strong>&nbsp;" . $retrieverow['addy'] . "<br />";
>
> }else{
> print "nothing is here";
> }
>
>
>
> what im trying to do is have the query return a row if ANY word in
> co_name matches $_GET['co_search'] but i cant seem to do that with
> WHERE (or WHERE alone). this snippet only returns a row if
> $_GET['co_search'] matches EXACTLY what is entered in the co_name
> column, which is not what i want. i've searched through the mysql
> reference manual but it was difficult for me to find nything i could
> understand easily in there. so if anyone could help a brotha out, thatd
> be greatly appreciated. thanks!
>

WHERE co_name LIKE '%{$_GET['co_search']}%'

The '%' are wildcards. BTW, it is really bad practice to put data from
a form directly into a query. A better approach would be to dump it
into a var and do some validation on it:

$co_name = $_GET['co_search'];
// insert code to verify $co_name looks OK
$query="SELECT * FROM gcbd WHERE co_name='%$co_name%' ";

NM

--
convert UPPERCASE NUMBER to a numeral to reply
Reply With Quote
  #3 (permalink)  
Old 02-21-2005
kiqyou_vf
 
Posts: n/a
Default Re: WHERE alternative??
AWESOME! thanks for the help, it works perfectly now. i got to thinkin
that maybe a company name column wouldnt be the best thing to search
and that a keywords column would be better, that way i can include the
category and other things and keep the company name an "official"
entry.

one more question, why is it better to put get/post vars into a regular
var besides it being less to type.

sorry about the double post btw.

Reply With Quote
  #4 (permalink)  
Old 02-21-2005
Juha Suni
 
Posts: n/a
Default Re: WHERE alternative??
kiqyou_vf wrote:
> one more question, why is it better to put get/post vars into a
> regular var besides it being less to type.

It is not so much about where you put it, but more about what you
(should) do with it before inserting it into a database query. If you do
not validate the GET / POST variables somehow, you're making your system
wide open for SQL injection attacks. GET and POST data always comes from
the user, and could contain any data whatsoever. Including parts of SQL
statements. What if $_GET['co_search'] contains special characters and
commands to delete tables in your database? You are directly executing
SQL commands that are coming from the user. How much do you trust your
users?

Check out:
http://www.php.net/mysql_escape_string
http://www.php.net/manual/en/ref.inf...gic-quotes-gpc
http://www.php.net/addslashes

For more information.

--
Suni

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 10:53 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0