|
|
Posted by Frankie on 07/28/06 20:35
"Bob Smith" <bsmith@sudleydeplacespam.com> wrote in message
news:Iqtyg.6367$oa1.820@news02.roc.ny...
>
>> $query =
>>sprintf ("SELECT itemNumber, thumbnailURL, title, description, price
>> FROM apparel,hats
>> WHERE apparel.title OR apparel.description OR hats.title OR
>> hats.description
>> LIKE '%s'",
>> $_POST['tfSearch']);
>
> Indeed it is ambiguous. To avoid this, use apparel.itemNumber or
> hats.itemNumber in the SELECT list. Repeat for the other columns.
>
> Also, to avoid an SQL injection attack, be sure to filter the input in
> $_POST[...] using a function appropriate to your SQL implementation.
Thanks for your quick reply!....that did it.
Only now it appears I need a new approach. This query is producing bizarre
results (1225 records, when there aren't near that many rows in my tables).
I tried using DISTINCT after SELECT, but same result.
What I'm (humbly) trying to do is query the common columns from 6 different
tables. Using the above method would produce a query string a mile long (and
horribly complex). The above query was a test for only 2 tables.
Any suggestions?
RE: Yes, I'm using strip_tags() and trim() on the POST value.
"magic_quotes_gpc" is enabled, escaping any quotes (") or apostrophes (').
F.H.
Navigation:
[Reply to this message]
|