0

I've written a $_GET query that passes strings on from a URL to a select query used to find information in MySQL.

The problem is, unless the URL query includes quotation marks, it won't work.

Is there any way to pass a string without the quotation marks ?

Here's the relevant code:

$query = $_GET['query'];

connect to database code..

$sql = "SELECT * FROM table1 WHERE col1 RLIKE $query";

result code ...
Orlando Pepperman
  • 1
  • 5
  • 3
    You really, really, really, REALLY need to read and understand this question unless you want your database to be hacked and your data stolen and/or deleted: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Joel Hinz Jan 18 '15 at 20:49
  • use addslashes($_GET['query']) – lulco Jan 18 '15 at 20:49
  • 1
    You should almost never use `addslashes`. Escapes should be handled by something specific for the language the data is being converted for. – Quentin Jan 18 '15 at 20:55
  • possible duplicate of [How to escape quotes in a MYSQL query?](http://stackoverflow.com/q/6793632) – mario Jan 18 '15 at 20:56
  • I don't have any experience of it myself, but I would expect that allowing users to submit arbitrary regular expressions to your database is something that will make it very easy to DOS you. – Quentin Jan 18 '15 at 20:57

1 Answers1

-4
$sql = "SELECT * FROM table1 WHERE col1 LIKE '".addslashes($_GET['query'])."'";
Lance
  • 638
  • 1
  • 6
  • 22
  • That would be escaping the quotes to allow them to pass... – Jason Bassett Jan 18 '15 at 20:55
  • 2
    That'd be only advisable if both database schema and connection were set to ASCII only. They never are. See [What's the difference between PHP's addslashes and mysql(i)\_escape\_string?](http://stackoverflow.com/q/4486016) – mario Jan 18 '15 at 20:55