3 Replies - 16942 Views - Last Post: 02 November 2011 - 01:41 PM Rate Topic: -----

#1 Kersh86   User is offline

  • New D.I.C Head

Reputation: 5
  • View blog
  • Posts: 45
  • Joined: 11-August 11

php/mysql select query is cutting off the name

Posted 02 November 2011 - 10:02 AM

Hey im having a strange problem with my php query

my code:
$q=$_GET["q"];
$q = addslashes($q);
$p=$_GET["p"];

define('MyConst', TRUE);
include '../database/config.php';
include '../database/opendb.php';

$sql="SELECT * FROM bands WHERE name = '".$q."' AND month='".$p."'";
echo "\n".$sql;
$result = mysql_query($sql) or die(mysql_error());


the query:
SELECT * FROM bands WHERE name = 'hell\'s bell\'s' AND month='Febuary'

for some strange reason when i go to put the name in to the form, it gets cut to "hell" all tho all the rest of the information is fine.

whats going on????

Is This A Good Question/Topic? 0
  • +

Replies To: php/mysql select query is cutting off the name

#2 macosxnerd101   User is offline

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12769
  • View blog
  • Posts: 45,954
  • Joined: 27-December 08

Re: php/mysql select query is cutting off the name

Posted 02 November 2011 - 01:10 PM

Moved to PHP.

To sanitize against SQL Injection, you should at least use mysql_real_escape_string() over addslashes(). Ideally though, you should use Prepared Statements like PDO, which are immune to SQL Injection. So you just bind your values to your parameters, and PDO handles all your sanitation. You don't need to addslashes() or anything.
Was This Post Helpful? 0
  • +
  • -

#3 Kersh86   User is offline

  • New D.I.C Head

Reputation: 5
  • View blog
  • Posts: 45
  • Joined: 11-August 11

Re: php/mysql select query is cutting off the name

Posted 02 November 2011 - 01:30 PM

View Postmacosxnerd101, on 02 November 2011 - 01:10 PM, said:

Moved to PHP.

To sanitize against SQL Injection, you should at least use mysql_real_escape_string() over addslashes(). Ideally though, you should use Prepared Statements like PDO, which are immune to SQL Injection. So you just bind your values to your parameters, and PDO handles all your sanitation. You don't need to addslashes() or anything.


yes i know of mysql_real_escape_string() but the strange thing with that is i get an empty string when i use it that why i tried addslashes() i dunno why thats happening.

every thing works fine on the site apart from that it doesnt retrive the whole of the string from the database it stops just after before the 1st apostrophe, ie hell's bell's becomes hell.

i've echoed the strings and they work fine but as i'll be using apostrophe's in the select query i need to escape them but as i said the mysql_real_escape_string() just makes the variable empty.
Was This Post Helpful? 0
  • +
  • -

#4 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3837
  • View blog
  • Posts: 13,998
  • Joined: 08-August 08

Re: php/mysql select query is cutting off the name

Posted 02 November 2011 - 01:41 PM

As has been mentioned, mysql_* functions are insecure. They're soon to be deprecated. Start using PDO.
$dsn = "mysql:host=localhost;dbname=your_database_name";
$username = "root"; // your MySQL username
$password = "root"; // your MySQL password
$sql = "SELECT * FROM bands WHERE name = ? AND month= ?";
$db = new PDO($dsn, $username, $password);
$new_item = $db->prepare($sql);
$new_item->execute(array($_GET['q'], $_GET['p']));
$new_item->setFetchmode(PDO::FETCH_ASSOC);
try {	
	foreach($new_item as $nw) {
		print_r($nw);
		echo "<br>";
	}
} catch (Exception $er) {
	error_log($er->getMessage());
}


Was This Post Helpful? 1
  • +
  • -

Page 1 of 1