Posted by Norman Peelman on 07/17/07 02:06

pnberry@gmail.com wrote:
> Hi,
>
> I'm trying to write a query using the mysql interface and I do not
> know how to escape the parentheses I'm using in the query.
>
> Here's the query as I tested it in the mysql monitor and it works as
> it should:
>
> SELECT * FROM tblCustomers WHERE InactiveFlag = "0" AND (FirstName
> LIKE "%Paul%" or BusinessOrLastName LIKE "%Paul%" OR Id LIKE "%Paul
> %") ORDER BY BusinessOrLastname;
>
> Here is what I've tried in my PHP script (the strings $inactive &
> $search have the values "0" and "Paul" respectively):
>
> $result = mysql_query("SELECT * FROM tblCustomers WHERE InactiveFlag=
> \"$inactive\"
> AND \(FirstName LIKE \"%$search%\" OR BusinessOrLastName LIKE \"%
> $search%\" OR Id LIKE \"%$search%\"\)
> ORDER BY BusinessOrLastName",$db);
>
> I've attempted to escape the ()'s in the mysql_query() function with
> backslashes \( and \) but it isn't working. I've read the PHP manual
> about mysql_real_escape_string() but it's not clear if this will work
> or how I would apply it.
>
> Any leads would be appreciated. Thanks, Paul
>

$result = mysql_query("SELECT * FROM tblCustomers WHERE InactiveFlag=
$inactive AND (FirstName LIKE '%$search%' OR BusinessOrLastName LIKE
'%$search%' OR Id LIKE '%$search%') ORDER BY BusinessOrLastName",$db);

....should do the trick. Just please make sure you sanitize your
variables prior to using them to prevent SQL Injections.

Norm

[Back to original message]