1

I'm trying to use the following MySQL query, but there is obviously something wrong. I'm trying to make page.php or page.php?q= return the following query:

if (!isset($_GET['q'])) { $where = "WHERE column1 LIKE %"; }
else { $where = "WHERE column1 LIKE ".$_GET['q']; }

$query = "SELECT column1, column2 FROM table '$where' GROUP BY column1";

So if there is no GET, then there is no WHERE in the MySQL query. I the GET is set to something, then there is a WHERE with that GET value.

Currently I'm getting the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''WHERE column1LIKE ' GROUP BY column1' at line 1

Improve this question
2
  • 4
    Your code is wide-open to SQL Injection attacks. Please use parameterised queries. Commented Dec 8, 2012 at 1:04
  • Thanks Dai. At the moment this is just a temporary page. I´t won´t be up for long and is only on an intranet. Commented Dec 8, 2012 at 1:11

4 Answers 4

Reset to default
2

You need to use some sort of escaping, but that's an exercise for another day. If you simply want to get it working, remove the single quotes around the where variable.

$query = "SELECT column1, column2 FROM table $where GROUP BY column1";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

For a general solution using PDO, try this snippet (where $db is a PDO connection object).

$params = array();

$sql = 'SELECT column1, column2 FROM table where 1 ';

if (!empty($_GET['q'])) {
    $sql .= " column1 like ?";
    $params[] = '%' . $_GET['q'] . '%';
}

if (!empty($_GET['r'])) {
    $sql .= " column2 like ?";
    $params[] = '%' . $_GET['r'] . '%';
}

$sql .= ' GROUP BY column1 ORDER BY column1';

$query = $db->prepare($sql);
$i = 1;
foreach ($params as $param) {
    $query->bindValue($i, $param);
    $i++;
}
$query->execute();
Improve this answer

1 Comment

Thanks, I updaed my script for PDO and the above helped with my issue.
1

You need to put the search string in the WHERE clause between single quotes, like this:

$where = "";
// if there the get q is set we add the were clause
if (!isset($_GET['q'])) {
    $where = "WHERE column1 LIKE %";
    // ^ This WHERE clause is useless, since it matches all strings.
    // Omitting this WHERE clause has the same effect.
}
else { $where = "WHERE column1 LIKE ".$_GET['q']; }

$query = "SELECT column1, column2 FROM table ".$where." GROUP BY column1";

Notice that your script is highly vulnerable agains attacks. Read about SQL-injections.

Improve this answer

Comments

0

I think you could simply do that: btw.. you do not need the other part "" the like % "" you can simply omit the where clause all together and it will do the same effect... here is a replica of what you just posted:

$where = "";
//if there the get q is set we add the where clause
if(isset($_GET['q'])) { 
   $where = "WHERE column1 LIKE '".$_GET['q']."'"; 
}

$query = "SELECT column1, column2 FROM table ".$where." GROUP BY column1";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.