发表新帖
发表新帖

LIKE operator with $variable

后端 未结
关注
6 1975
有刺的猬
有刺的猬 2020-12-18 13:24

This is my first question here and I hope it is simple enough to get a quick answer!

Basically, I have the following code:

$variable = curPageURL();
相关标签:
6条回答
  • 你的背包
    2020-12-18 13:46

    Your code is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query string. Instead, it must first be sanitized with a function such as mysql_real_escape_string().

    0 讨论(0)
  • 自闭症患者
    2020-12-18 13:51

    Ultimately, what I want, is to be able to make a search for which the search-term is the current page's url, with wildcards before and after.

    The SQL wildcard character is a percent sign. Therefore:

    $variable = curPageURL();
$variable = mysql_real_escape_string($variable);
$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '%{$variable}%'";

    Note: I've added in an extra bit of code. mysql_real_escape_string() will protect you from users deliberately or accidentally putting characters that will break your SQL statement. You're better off using parameterised queries, but that's a more involved topic than this simple fix.

    Also note: I've fixed your string quoting, too. You can only use a variable in a string directly if that string is double quoted, and you were missing a quote at the end of $query.

    edit 17 Jan 2015: Just got an upvote, so with that in mind, please don't use the mysql_* functions anymore.

    0 讨论(0)
  • 陌清茗
    2020-12-18 13:51

    As to why you're not being notified of the syntax error: It's fairly likely that your error reporting settings aren't set up correctly.

    Open php.ini and make sure the following is set:

    display_errors = On

    And:

    error_reporting = E_ALL
    0 讨论(0)
  • 小鲜肉
    2020-12-18 13:52

    Use:

    $query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '{$variable}'" ;

    To get an idea of why to prevent SQL injection attacks, like the above would be vulnerable to, I submit "Exploits of a Mom":

    alt text

    0 讨论(0)
  • 庸人自扰
    2020-12-18 13:52

    Use double quotes if you need to substitute variable values:

    ## this code is open for SQL injection attacks
$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '$variable'";

    Or concat string manually:

    ## this code is open for SQL injection attacks
$query = 'SELECT * FROM `tablename` WHERE `columnname` LIKE "' . $variable . '"';
    0 讨论(0)
  • 借酒劲吻你
    2020-12-18 13:57

    Please don't do this, it is vulnerable to SQL injection (this is a list of 138 StackOverflow questions you should read, absorb and understand prior to returning to your application). Use parametrized queries or stored procedures.

    0 讨论(0)
 看不清?
提交回复
热议问题