List:Denmark MySQL Users Group« Previous MessageNext Message »
From:Allan Jacobsen Date:February 3 2009 8:35am
Subject:SV: variable searching with FULLTEXT
View as plain text  
> $searchstring = "hi mom"; // Or $_POST[searchtext]..
> $query = "SELECT * FROM journal WHERE text like '%$searchstring%'";

Is correct, but not safe, the last line should be:

$query = "SELECT * FROM journal WHERE text like
'%'.mysql_real_escape_string($searchstring).'%'";


Best regards/MVH
Allan Jacobsen
Infrastruktur, IT-teknik, Danske Spil A/S
Korsdalsvej 135, 2605 Brøndby


-----Oprindelig meddelelse-----
Fra: Esben Damgaard [mailto:ebbe@stripped] 
Sendt: 3. februar 2009 08:56
Til: Norman Bird
Cc: denmark@stripped
Emne: Re: variable searching with FULLTEXT


Norman Bird skrev:
> I'm developing a search form for an online journal/diary where the user can
> search the data for any words or even Boolean format. I want what FULLTEXT
> provide, but fulltext requires a constant string. that appears to be only
> good for ad hoc queries from the command line.
>
> How do you guys handle user forms where the search data is dynamic?
>
> Interested in how evertone handles that situation. All I see available is
> using "LIKE"
> I.E.
>
> select * from journal where 'text' like '%dreams%'
>   
You just printed your solution. Now what you need is to take this to a 
PHP forum.. or I could just give you your answer:

$searchstring = "hi mom"; // Or $_POST[searchtext]..
$query = "SELECT * FROM journal WHERE text like '%$searchstring%'";


/E

-- 
Denmark MySQL Users Group Mailing List
For list archives: http://lists.mysql.com/ug-denmark
To unsubscribe:    http://lists.mysql.com/ug-denmark?unsub=1

Thread
variable searching with FULLTEXTNorman Bird3 Feb
  • Re: variable searching with FULLTEXTEsben Damgaard3 Feb
    • SV: variable searching with FULLTEXTAllan Jacobsen3 Feb
  • RE: variable searching with FULLTEXTHaktan Bulut3 Feb
    • Re: variable searching with FULLTEXTNorman Bird3 Feb