Am trying to write a statement to select and display some specific values,but this code displays everything
Is it possible to write this with a select statement?
$thisKeyword = $_POST['catid']; $thisKeyword1 = $_POST['yearid']; $query = "SELECT * FROM STAFF WHERE category_id like '%$thisKeyword%' OR name like '%$thisKeyword%' AND year_id = '%$thisKeyword1%'" ;
Matthew1980
6:26 pm on Nov 26, 2010 (gmt 0)
Hi there JuicyScript,
>>Am trying to write a statement to select and display some specific values,but this code displays everything
Which is exactly what it will do, your using the '*' everything that matches 'these terms' in your statement, so sql will return everything that matches your criteria.
If you only want specific fields/values to be returned you need to explicitly define those values in the request:--
//make your sql safer $thisKeyword = strip_tags(mysql_real_escape_string($_POST['catid'])); $thisKeyword1 = strip_tags(mysql_real_escape_string($_POST['yearid']));
$query = "SELECT `column_one` FROM `STAFF` WHERE (`a_colun` LIKE '%".$thisKeyword."%' OR `name` LIKE '%$".thisKeyword."%') AND `year_id` = '%".$thisKeyword1."%'";
DISCLAMIER! I just noticed that the sql didn't make sense when I posted, so I have made it make a little more sense, unfortunately I can only surmise the column names, so please just understand that this is for example only, and you see how to use parenthesis within a sql statement when your trying to match more than one value to a single id.
I hope that makes sense anyway - I should have read the sql properly in the first place ;-p
Or at least something like that, you need to be careful with LIKE commands, sometimes you need to parenthesize these parts so that the logic of the sql makes sense..
Remember that quoting numerical values in sql don't need to be quoted, if they are, sql will treat that value as a string, this can cause some issues.
Hope that makes sense!
Cheers, MRb
JuicyScript
1:57 am on Dec 1, 2010 (gmt 0)
Will this statement also filter my data by catid and yearid?
