Mysql error in query: ... near ' '

Question

I have an application which takes the information of a mysql database(a music-db) and shows it via echos in a div. Everything works fine.

Now I wanted to add a search bar so you can search the database for a specific song.

The search bar just loads a php file with a mysql query. The word or the letters you want to search for are passed via a varbiable in the link(for example test.php?searchvalue=it).

Now my problem: I get the following Mysql-error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

The quotes in the error are single quotes!

The Query is:

$searchvalue = $_GET["searchvalue"];

$query = mysql_query("select SongID, Songtitel, artwork, duration, SCID from tMusic where Songtitel LIKE '%$searchvalue%'") or die(mysql_error());

Why is this wrong?

Thanks for help.

Escape your PHP variable using `mysql_real_escape_string` then when you have time update your code to use PDO or mysqli_ functions. — Jamie Bicknell, Oct 01 '15 at 11:45
Can you print the query actually sent ? This will help the debugging process... — Amarnasan, Oct 01 '15 at 11:47
I tried the mysql_real_escape_string but it still doesn't work. Yes the Songtitel is spellt right - german... — jumpskin, Oct 01 '15 at 12:03
The query sent is: `select SongID, Songtitel, artwork, duration, SCID from tMusic where Songtitel LIKE '%it%'` — jumpskin, Oct 01 '15 at 12:04

score 0 · Answer 1 · answered Oct 01 '15 at 11:46

0

$searchvalue = $_GET["searchvalue"];

$query = mysql_query("select SongID, Songtitel, artwork, duration, SCID from tMusic where Songtitel LIKE '%".mysql_real_escape_string($searchvalue)."%'") or die(mysql_error());

answered Oct 01 '15 at 11:46

Ishan Shah

1,665
2
20
42

2

Why should the OP try this? A good answer will always have an explanation of what was done and why it was done that way, not only for the OP but for future visitors to SO. – Jay Blanchard Oct 01 '15 at 11:49
Oh ya. that was good so others knows how they are mistack. sure from next will be take care of that – Ishan Shah Oct 01 '15 at 11:50
Does anyone know the reason of the name `mysql_real_escape_string` ? Is there an "unreal" version of the function? – Amarnasan Oct 01 '15 at 11:51
beacuse it will escape the unusable string to prevent sql injetion – Ishan Shah Oct 01 '15 at 11:52
2

http://php.net/manual/en/function.mysql-escape-string.php *"mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting"* @Amarnasan – Jay Blanchard Oct 01 '15 at 11:53
Really? Oh,my... that reminds me when I create an improved new function 'foo' as 'foo2'... so sloppy. What if there's an improved version? `mysql_really_really_escape_string' ? – Amarnasan Oct 01 '15 at 11:54

Mysql error in query: ... near ' '

1 Answers1