WHERE alternative??

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

hi guys, first of all i'm really new to php so i apologize ahead of
time if this is a noob question.

ok, so i purchased and read the PHP for the Wolrd Wide Web by Larry
Ullman and started to write my own script. im trying to write a script
that searches through a company name column (co_name) and returns the
row- simple. here is a snippet:

     if (isset ($_GET['search'])){
          $query="SELECT * FROM gcbd WHERE co_name='' ";
        print "<br /><strong>phone:&nbsp;</strong>" .
$retrieverow['phone_num'] . "<br /><strong>company
name:&nbsp;</strong>" . $retrieverow['co_name'] ."<br /><strong>Company
adress:</strong>&nbsp;" . $retrieverow['addy'] . "<br />";

        print "nothing is here";

what im trying to do is have the query return a row if ANY word in
co_name matches $_GET['co_search'] but i cant seem to do that with
WHERE (or WHERE alone). this snippet only returns a row if
$_GET['co_search'] matches EXACTLY what is entered in the co_name
column, which is not what i want. i've searched through the mysql
reference manual but it was difficult for me to find nything i could
understand easily in there. so if anyone could help a brotha out, thatd
be greatly appreciated. thanks!

Re: WHERE alternative??

kiqyou_vf wrote:
Quoted text here. Click to load it

WHERE co_name LIKE '%%'

The '%' are wildcards.  BTW, it is really bad practice to put data from
a form directly into a query.  A better approach would be to dump it
into a var and do some validation on it:

$co_name = $_GET['co_search'];
// insert code to verify $co_name looks OK
$query="SELECT * FROM gcbd WHERE co_name='%$co_name%' ";


convert UPPERCASE NUMBER to a numeral to reply

Re: WHERE alternative??

AWESOME! thanks for the help, it works perfectly now. i got to thinkin
that maybe a company name column wouldnt be the best thing to search
and that a keywords column would be better, that way i can include the
category and other things and keep the company name an "official"

one more question, why is it better to put get/post vars into a regular
var besides it being less to type.

sorry about the double post btw.

Re: WHERE alternative??

kiqyou_vf wrote:
Quoted text here. Click to load it

It is not so much about where you put it, but more about what you
(should) do with it before inserting it into a database query. If you do
not validate the GET / POST variables somehow, you're making your system
wide open for SQL injection attacks. GET and POST data always comes from
the user, and could contain any data whatsoever. Including parts of SQL
statements. What if $_GET['co_search'] contains special characters and
commands to delete tables in your database? You are directly executing
SQL commands that are coming from the user. How much do you trust your

Check out:

For more information.


Site Timeline