-2

How to write this mysql query,

SELECT * FROM  `content`WHERE  `language_option_tag` LIKE  "%English%"

into php code where I only select the data which user have been POST by FORM

$sql .= 'SELECT * FROM  `content` WHERE  `language_option_tag` LIKE "%' .$lang_name. '%" ;
Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
ahkeno
  • 19
  • 2
  • 9
  • 1
    what is the problem? query is correct/ – Yogesh Suthar May 20 '13 at 06:42
  • yes query is work but I want to show the result which user has select from Form and send POST method to PHP, so I would replace "%English%" to "%' .$lang_name. '%" and it show all of data. – ahkeno May 20 '13 at 06:44
  • use this `$lang_name = $_POST['your_lang'];`. – Yogesh Suthar May 20 '13 at 06:45
  • yes,I already use and it work $lang_name = htmlspecialchars($_POST['lang_name'],ENT_QUOTES); – ahkeno May 20 '13 at 06:48
  • So what is the problem? – Yogesh Suthar May 20 '13 at 06:49
  • Can you provide with more details – curious_coder May 20 '13 at 06:50
  • ok here I have 3 stage, page 1 is user click the field ,send this field to the PHP page with POST method, `$("#sub-lang-eng").click(function() { $.post("../select-query.php", { lang_name:"English", }, function(data,status){ $("#results-handler").html(data); }); return false; }); ` Then at _select-query.php_ page , collect `$lang_name = htmlspecialchars($_POST['lang_name'],ENT_QUOTES);` Connect with Database,and show the result at first page. – ahkeno May 20 '13 at 07:06

4 Answers4

1
$lang_name = $_POST['your_lang'];    
$sql = "SELECT * FROM content WHERE `language_option_tag` LIKE '%$lang_name%'" ;
curious_coder
  • 2,392
  • 4
  • 25
  • 44
1
$lang_name = mysql_real_escape_string($_POST['selected_your_lang']);    
$sql = "SELECT * FROM content WHERE `language_option_tag` LIKE '%$lang_name%'";

Note: Always use mysql_real_escape_string() when you are passing data from form..to stop SQL injection.

Pank
  • 13,800
  • 10
  • 32
  • 45
0

You are missing a bcaktick, maybe it's just a typo but this is causing an error and also the way you use like should be different, change as follow

$sql .= 'SELECT * FROM  `content` WHERE  `language_option_tag` LIKE '% .$lang_name. %' ; 
                        ^here is missing backtick `.                ^ here there was a mistake

Then I would like to remember you that you are at risk of sql injection, have a look here How can I prevent SQL injection in PHP?. You should use prepared statment to avoid any risk

Community
  • 1
  • 1
Fabio
  • 23,183
  • 12
  • 55
  • 64
  • If one looks at [the source of the OP's original post](http://stackoverflow.com/revisions/2ad17242-d6ce-49e6-a384-7fa5ec815818/view-source), it's clear that the typo was simply markdown formatting; the "mistake" after `LIKE` is not a mistake - the SQL string literal must be quoted. – eggyal May 20 '13 at 06:46
0
$dbconnection= mysqli_connect("localhost", "my_user", "my_password", "dbname");    
$lang = $_POST["lang"];
$lang = mysqli_real_escape_string($dbconnection, $lang); // To prevent SQL injection
$sql = "SELECT * FROM content WHERE `language_option_tag` LIKE '%$lang%'" ;

About usage of mysqli visit http://php.net/manual/en/mysqli.real-escape-string.php

Ergec
  • 11,608
  • 7
  • 52
  • 62