Answer the question
In order to leave comments, you need to log in
"You have an error in your SQL syntax.." How to fix?
In general, when I enter quotation marks ("'" in the search, I get this error.
How to fix it?
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '%" ORDER BY name LIMIT 100' at line 1
Here is part of the code. I don't know exactly where the error is.
$sql = 'SELECT * FROM goods WHERE name LIKE "%'.$value.'%"';
else $sql .= ' AND name LIKE "%'.$value.'%"';
}
}
else {
$sql = 'SELECT * FROM goods WHERE name LIKE "'.mb_substr($_GET['alphabet'],0,1,'UTF-8').'%"';
}
$sql.=' ORDER BY name LIMIT 100';
$q = mysql_query($sql);
if($q) {
$i=0;
<?php
if(strstr($output,'$SEARCH_FORM$')) {
$search_form = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/application/views/search_form.php');
$output = str_replace('$SEARCH_FORM$', $search_form,$output);
}
if(strstr($output,'$SEARCH_RESULTS$')) {
$search_results='';
$search_results_template = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/application/views/search_result.php');
if(!empty($_POST['q']) or !empty($_GET['alphabet'])) {
if(!empty($_POST['q'])) {
$search_array = explode(' ',$_POST['q']);
$sql='';
foreach($search_array as $value) {
if(empty($sql))
$sql = 'SELECT * FROM goods WHERE name LIKE "%'.$value.'%"';
else $sql .= ' AND name LIKE "%'.$value.'%"';
}
}
else {
$sql = 'SELECT * FROM goods WHERE name LIKE "'.mb_substr($_GET['alphabet'],0,1,'UTF-8').'%"';
}
$sql.=' ORDER BY name LIMIT 100';
$q = mysql_query($sql);
if($q) {
$i=0;
while($row=mysql_fetch_assoc($q)) {
$i++;
$TITLE = $row['name'];
$HASH = preg_replace('/[^\p{L}\p{N}\s]/u','',md5(config_item('encryption_key').$TITLE));
$uppath = $_SERVER['DOCUMENT_ROOT'].'/assets/uploads/'.preg_replace('/[^\p{L}\p{N}\s]/u','', md5(config_item('encryption_key').$HASH.$TITLE)).'/';
$fl = file($uppath.$HASH);
$COUNT = count($fl);
$search_results.=str_replace(
array('$ITEM_ID$','$ITEM_TITLE$','$ITEM_PRICE$','$ITEM_IMAGE$','$ITEM_COUNT$'),
array($row['id'],$TITLE,$row['price_final'],$row['iconurl'],$COUNT),
$search_results_template);
}
if($i==0) {$search_results='<div><b>Ничего не найдено.</b></div>';}
}
else {
$search_results='<div>'.mysql_error().'</div>';
}
}
else {
$search_results='<div></div>';
}
$output = str_replace('$SEARCH_RESULTS$', $search_results,$output);
}
if(strstr($output,'$SEARCH_QUERY$')) {
if(!empty($_POST['q']))
$output = str_replace('$SEARCH_QUERY$', $_POST['q'],$output);
else {
if(!empty($_GET['alphabet']))
$output = str_replace('$SEARCH_QUERY$', 'Начинается с '.mb_substr($_GET['alphabet'],0,1,'UTF-8'),$output);
else
$output = str_replace('$SEARCH_QUERY$', 'Пустой запрос',$output);
}
}
?>
Answer the question
In order to leave comments, you need to log in
SQL considers that in a string of type the like %"ab"c%
quotation marks indicate the opening of the string. I don’t remember much SQL, but you can write%\"ab\"c%
It is necessary to shoot from a shit-gun for such a code. 1) Request concatenation 2) Use of dying methods of working with the database. 3) Concatenation of the request directly from GET parameters (Yes, yes, I know you will never be injected with code) 4) Formation of html in the same file. Dear, I have to warn you - never show this to a potential employer. We've all made mistakes while learning, but we need to stop writing the deadly sins of programming as soon as possible.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question