|
|
Posted by Rik on 07/28/06 23:57
Frankie wrote:
> "Bob Smith" <bsmith@sudleydeplacespam.com> wrote in message
> news:Iqtyg.6367$oa1.820@news02.roc.ny...
>>
>>> $query =
>>> sprintf ("SELECT itemNumber, thumbnailURL, title, description, price
>>> FROM apparel,hats
>>> WHERE apparel.title OR apparel.description OR hats.title
>>> OR hats.description
>>> LIKE '%s'",
>>> $_POST['tfSearch']);
>>
>> Indeed it is ambiguous. To avoid this, use apparel.itemNumber or
>> hats.itemNumber in the SELECT list. Repeat for the other columns.
>>
>> Also, to avoid an SQL injection attack, be sure to filter the input
>> in $_POST[...] using a function appropriate to your SQL
>> implementation.
>
>
> Thanks for your quick reply!....that did it.
>
> Only now it appears I need a new approach. This query is producing
> bizarre results (1225 records, when there aren't near that many rows
> in my tables). I tried using DISTINCT after SELECT, but same result.
>
> What I'm (humbly) trying to do is query the common columns from 6
> different tables. Using the above method would produce a query string
> a mile long (and horribly complex). The above query was a test for
> only 2 tables.
>
> Any suggestions?
Clarifiy your exact needs and correlation between tables. Without it, it's
hard to come up with a suitable solution. Telling us what kind of database
you're using is also a biog plus (and a question like this is usually more
appropriate in a newsgroup about that partivular kind of DB).
> RE: Yes, I'm using strip_tags() and trim() on the POST value.
> "magic_quotes_gpc" is enabled, escaping any quotes (") or apostrophes
> (').
Magic_quotes are unreliable at best (and IMHO a f*cking nuisance when coding
correctly). If using mysql (which people usually are),
mysql_real_escape_string() is a good way to go. Using prepared statements is
better.
Grtz,
--
Rik Wasmus
Navigation:
[Reply to this message]
|