Answer the question
In order to leave comments, you need to log in
P
P
Paulink2015-09-29 18:17:03
Paulink, 2015-09-29 18:17:03
"You have an error in your SQL syntax.." How to fix?
In general, when I enter quotation marks ("'" in the search, I get this error.
How to fix it?
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '%" ORDER BY name LIMIT 100' at line 1
Here is part of the code. I don't know exactly where the error is.
$sql = 'SELECT * FROM goods WHERE name LIKE "%'.$value.'%"';
else $sql .= ' AND name LIKE "%'.$value.'%"';
}
}
else {
$sql = 'SELECT * FROM goods WHERE name LIKE "'.mb_substr($_GET['alphabet'],0,1,'UTF-8').'%"';
}
$sql.=' ORDER BY name LIMIT 100';
$q = mysql_query($sql);
if($q) {
$i=0;And here is the whole code, just to be sure
<?php
if(strstr($output,'$SEARCH_FORM$')) {
$search_form = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/application/views/search_form.php');
$output = str_replace('$SEARCH_FORM$', $search_form,$output);
}
if(strstr($output,'$SEARCH_RESULTS$')) {
$search_results='';
$search_results_template = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/application/views/search_result.php');
if(!empty($_POST['q']) or !empty($_GET['alphabet'])) {
if(!empty($_POST['q'])) {
$search_array = explode(' ',$_POST['q']);
$sql='';
foreach($search_array as $value) {
if(empty($sql))
$sql = 'SELECT * FROM goods WHERE name LIKE "%'.$value.'%"';
else $sql .= ' AND name LIKE "%'.$value.'%"';
}
}
else {
$sql = 'SELECT * FROM goods WHERE name LIKE "'.mb_substr($_GET['alphabet'],0,1,'UTF-8').'%"';
}
$sql.=' ORDER BY name LIMIT 100';
$q = mysql_query($sql);
if($q) {
$i=0;
while($row=mysql_fetch_assoc($q)) {
$i++;
$TITLE = $row['name'];
$HASH = preg_replace('/[^\p{L}\p{N}\s]/u','',md5(config_item('encryption_key').$TITLE));
$uppath = $_SERVER['DOCUMENT_ROOT'].'/assets/uploads/'.preg_replace('/[^\p{L}\p{N}\s]/u','', md5(config_item('encryption_key').$HASH.$TITLE)).'/';
$fl = file($uppath.$HASH);
$COUNT = count($fl);
$search_results.=str_replace(
array('$ITEM_ID$','$ITEM_TITLE$','$ITEM_PRICE$','$ITEM_IMAGE$','$ITEM_COUNT$'),
array($row['id'],$TITLE,$row['price_final'],$row['iconurl'],$COUNT),
$search_results_template);
}
if($i==0) {$search_results='<div><b>Ничего не найдено.</b></div>';}
}
else {
$search_results='<div>'.mysql_error().'</div>';
}
}
else {
$search_results='<div></div>';
}
$output = str_replace('$SEARCH_RESULTS$', $search_results,$output);
}
if(strstr($output,'$SEARCH_QUERY$')) {
if(!empty($_POST['q']))
$output = str_replace('$SEARCH_QUERY$', $_POST['q'],$output);
else {
if(!empty($_GET['alphabet']))
$output = str_replace('$SEARCH_QUERY$', 'Начинается с '.mb_substr($_GET['alphabet'],0,1,'UTF-8'),$output);
else
$output = str_replace('$SEARCH_QUERY$', 'Пустой запрос',$output);
}
}
?> 2 answer(s)
@Paulink
@dmitryKovalskiy
I
Ivanq, 2015-09-29 @Paulink
SQL considers that in a string of type the like %"ab"c%quotation marks indicate the opening of the string. I don’t remember much SQL, but you can write%\"ab\"c%
D
Dmitry Kovalsky, 2015-09-29 @dmitryKovalskiy
It is necessary to shoot from a shit-gun for such a code. 1) Request concatenation 2) Use of dying methods of working with the database. 3) Concatenation of the request directly from GET parameters (Yes, yes, I know you will never be injected with code) 4) Formation of html in the same file. Dear, I have to warn you - never show this to a potential employer. We've all made mistakes while learning, but we need to stop writing the deadly sins of programming as soon as possible.
Similar questions
N
D
O
V
O
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question