I am executing the following query in a MySQL database (look at SELECT AND WHERE, the rest is not important):
SELECT distinct fname //more fields...
FROM filedepot_files AS ff
INNER JOIN filedepot_categories AS fc
ON ff.cid = fc.cid
INNER JOIN filedepot_access AS fa
ON fc.cid = fa.catid
WHERE fa.permid=$id AND fname LIKE '%$key%'
ORDER BY DATE
The environment is a PHP script running under Drupal with FileDepot module but I doubt that matters at all.
This is the PHP script (well the part that matters):
$id = 1;
$key = $_GET['key'];
$query = .... (see above)
$result = db_query($query);
while($row = db_fetch_array($result)){
//do stuff
echo $row['fname'];
}
db_query() is a Drupal method that allows to easily execute SQL queries and a returns an array, db_fetch_array() allows to parse the result.
Now, DB contains the following entries for fname (there are more, these are just examples):
- Dichiarazione 1
- Dichiarazione 2
- Guida 1
- Guida 2
If I launch the script with “guida” as key it correctly returns the two entries both with PHP and MySQL.
If i use “Guida” it works as well.
However if I use “dichiarazione” it doesnt with PHP while it does with MySQL.
Strange thing is that “Dichiarazione” works both with PHP and MySQL.
What is wrong with the query? I tryed to use LOWER(fname) LIKE '%$key%' but it doesn’t seem to work as intended.
I am sure there is something stupid that I am missing but I can’t seem to find what that is…
%is a special character in Drupal queries (it’s used for placeholders). Try double-escaping it:More worryingly though, you’re wide open to SQL injection. Some sanitisation is in order:
It might look crazy but that’s the right number of
%signs. Two for each literal%, and one (%s) for the string placeholder