PHP messes with percent % sign

Question

the following code:

if(isset($_POST['user'])){
$user = $_POST['user'];
}
else
{
$user = "%%";
}
$sql = "SELECT * FROM users WHERE name LIKE '$user'";
mysqli_query($link,$sql);

causes the query not work, because echo is:

SELECT * FROM user WHERE name LIKE ''

instead of

SELECT * FROM users WHERE name LIKE '%%'

how can this be fixed?

First off, your code is *extremely* vulnerable to [SQL injection](http://en.wikipedia.org/wiki/SQL_injection) attacks. For the sake of your users, please use parameterized queries. See [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) — p.s.w.g, Jul 26 '14 at 16:12
`$POST['user']` is set, but empty... `if(isset($_POST['user']) && !empty($_POST['user'])){` — Mark Baker, Jul 26 '14 at 16:13
p.s.w.g injection in select? how... and the user-post comes from a drop-down list. And your link, sorry...i dont use the arrow-php, i use the basic one. — sgtBear, Jul 26 '14 at 16:17
It's possible that malicious hackers are not willing to use your drop-down list and prefer to enter their own values. — Álvaro González, Jul 26 '14 at 16:20
i dont understand what injection can do?? select something else or what? — sgtBear, Jul 26 '14 at 16:21
Depending on the back-end code and database, things like stealing credit cards, impersonating other users, deleting your database... But nothing really serious as hurting dogs, I guess. — Álvaro González, Jul 26 '14 at 16:24
oh..how can you ENTER something in a LIST?...its there its not a textfield, its the — sgtBear, Jul 26 '14 at 16:24
Also, no need to have two percentage signs, `$user = "%%";`, if you which to get hits on all. Try `$user = "%";`. — Niklas, Jul 26 '14 at 17:29

score 1 · Answer 1 · answered Jul 26 '14 at 16:14

1

I would think, your $_POST['user'] is set, and filled with ''.

answered Jul 26 '14 at 16:14

raice

182
1
2
10

PHP messes with percent % sign

1 Answers1