| using a variable name in a procedure
like "variable%" |
Baruch Menachem
msg:4401377 | 8:14 pm on Dec 25, 2011 (gmt 0) |
I am working on a small library application. I have a bit of code in php that feeds a variable to an SQL routine. I want to move this bit of insecure PHP code to an SQL procedure.
right now the procedure looks like this:
Delimiter ~~~
create procedure findwriter (in thread varchar(25))
begin
select books.title as title,
concat(authors.efname,' ',authors.elname) as scribe
,books.book_id as id, Topics.topic as subject from books
inner join bookswritten using(book_id)
inner join authors using(writer_id)
inner join Topics using(Topic_id) where authors.elname like
"thread%" group by books.title order by authors.elname,
books.title;
end;
~~~
delimiter ;
when I feed in a name to the procedure, I get an error that it doesnt' recognize the string in my field list.
This incarnation worked well in PHP
Thanks
|
penders
msg:4401394 | 11:20 pm on Dec 25, 2011 (gmt 0) |
| "thread%" group by books.title order by authors.elname, |
|
Does MySQL support variable parsing? Maybe you need to use CONCAT() to append the "%"?
|
Baruch Menachem
msg:4401436 | 4:42 am on Dec 26, 2011 (gmt 0) |
It is parsing it, but it seems to be treating it like a table header
|
topr8
msg:4401452 | 9:02 am on Dec 26, 2011 (gmt 0) |
...
|
|
|
