Comments on: Simple MySQL Search Query

By: Jacob

Jacob — Sat, 01 Oct 2011 11:46:52 +0000

I would also recommend creating a blacklist of banned characters – % is a big one as it is the SQL wildcard. Enter that as your last name and you will receive all the database results. ;)

By: sonal

sonal — Wed, 07 Jan 2009 04:29:45 +0000

hiiiiii

By: Lasse

Lasse — Tue, 26 Feb 2008 19:48:18 +0000

hmm… I am having some problems with this. When i search using the code above I only recieve one result. And that’s if I have more than one persons with same lastname. Example: I know I have 2 persons with the lastname: “Planitzer”. But when I search on the name only one is showing. Another problem is that this one person is the only one I can find. I have another person named “Jensen”. But the search function can’t find him and is showing no results.

Maybe it’s just me and my coding.. I’m still a new one in this area :)

By: ninuhadida

ninuhadida — Sun, 22 Jul 2007 10:17:31 +0000

you could even do this to protect against sql injection:

$lastName = mysql_real_escape_string($_POST[’lastName’]);

taken from php.net:

mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.

By: [ knrlpanick ]

[ knrlpanick ] — Thu, 12 Jul 2007 06:39:25 +0000

glad I could be of help.. :) I aim to please… anyhow, the real problem is that people will copy and paste said code into their application and leave themselves open to attack, I am sure you are aware of the security issues, but the people who are googling for someone to solve their code problems may not be… :) anyhow, I am sure I will criticize more of your code at some point in time *G*

You can always go criticize mine too if you want — although I haven’t updated my blog since January (looks like I am the lazy one….)

By: Tech Tools

Tech Tools — Sat, 07 Jul 2007 20:58:05 +0000

Handy Dandy

By: Nessa

Nessa — Sat, 07 Jul 2007 05:48:58 +0000

DOH! Actually, I'd prefer to just turn on register globals and not use $var = $_POST at all =D

Thanks for pointing that out...you just made me realize how lazy of a coder I am, and I've now lost all ambition and hope in life.

hehehe

By: [ knrlpanick ]

[ knrlpanick ] — Thu, 05 Jul 2007 19:46:10 +0000

this is also the #1 cause of SQL Injection vulerabilities in php web applications, so please, by all means, sprinkle this code throughout every last bit of your website.. :) — or you could fix it by simply changing the line:

$lastName = $_POST[’lastName’];

$lastName = ereg_replace(“[^a-z0-9A-Z]“, “”, $_POST[’lastName’] );

granted this is not the best practice and not the best action, however, it will save you alot of grief if you are doing this on some type of publicly accessible page.