Using php variables in Sql

Question

i have a form that is used to set a search term to a php variable VIA _GET so for example if the user typed cat the url would say ?search=cat

Here is the PHP variable that will be used in the SQL query

$search = 'CustomerAccountName LIKE &#39;%'  . $_GET['search'] . '%&#39;';

When echoed this produces CustomerAccountName LIKE '%cat%' which is valid and works when using the query editor however when i try to place the $search variable in to the query in php i get this error

Warning: odbc_exec(): SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect
 syntax near '&amp;'., SQL state 37000 in SQLExecDirect

any help would be much appreciated

Bobby tables is salivating by just looking at this – Elias Van Ootegem Oct 20 '14 at 10:18 — Elias Van Ootegem, Oct 20 '14 at 10:18

score 2 · Accepted Answer · edited May 23 '17 at 12:27

2

Just use plain single quotes.

$search = "CustomerAccountName LIKE '%".$_GET['search']."%';";

But don't build your query like this. Sanitize it before to prevent SQL injection.

edited May 23 '17 at 12:27

Community

1
1

answered Oct 20 '14 at 10:18

Francois

10,730
7
47
80

score 0 · Answer 2 · answered Oct 20 '14 at 10:20

0

$search = "CustomerAccountName LIKE '%"  . $_GET['search'] . "%' ";

answered Oct 20 '14 at 10:20

trzyeM-

923
8
10

Using php variables in Sql

2 Answers2