I am working on a small library application. I have a bit of code in php that feeds a variable to an SQL routine. I want to move this bit of insecure PHP code to an SQL procedure.
right now the procedure looks like this: Delimiter ~~~
create procedure findwriter (in thread varchar(25)) begin select books.title as title, concat(authors.efname,' ',authors.elname) as scribe ,books.book_id as id, Topics.topic as subject from books inner join bookswritten using(book_id) inner join authors using(writer_id) inner join Topics using(Topic_id) where authors.elname like "thread%" group by books.title order by authors.elname, books.title; end;
~~~ delimiter ;
when I feed in a name to the procedure, I get an error that it doesnt' recognize the string in my field list.