Forum Moderators: coopster
I'm making a query on a column that has text data using:
mysql_query("SELECT * FROM products WHERE brand
like '%$pham_brand%' AND item!='$item' Order by rand() Limit 25 ")
For the most part it works. It displays items of the same brand, but when it comes across text with an apostrophe, it messes up and gives me an error. I understand why this happens and that I need to escape it, but I'm not sure of the functions I need to use or correct syntax.
I'm aware of the addslashes() function, but I haven't got it to execute successfully.
Someone told me to write it like this:
mysql_query("SELECT * FROM products WHERE brand
like 'addslashes($pham_brand)' AND item!='$item' Order by rand() Limit 25 ")
Well this doesn't work. Anyhow, I guess I could manually escape my text in the database, but we're talking about hundreds of entries. Any suggestions? Thanks!
I'm just not sure if the string in the query is parsed. I usually build the statement before and then do the query.
$query = "SELECT * FROM products WHERE brand like '%" . addslashes($pham_brand) . "%' AND item!='$item' Order by rand() Limit 25";
mysql_query($query);
You are the man. I don't really understand why, but what you told me works! Thanks
It would be good for you to understand why it worked.
PHP will parse any string surrounded by double quotes for variables but not functions. Therefore something like $var = addslashes($var) will work while $var = "addslashes($var)" will not work.
What I did was to concatenate the string [us4.php.net]. Follow the link and read the manual here [us4.php.net] too. It will be a great benefit for all you do. So basically what it does is tie all the strings and strings returned by funtions together into one long string. Does that make sense?
mysql_real_escape_string will escape special characters in the unescaped_string, taking into account the current charset of the connection so that it is safe to place it in a mysql_query().
