0

so I have this query below in my php code :

$query ="SELECT * 
         FROM material_tools_master_data 
         WHERE material_name like '" . $_POST["keyword"] . "%' 
         ORDER BY material_code 
         LIMIT 0,50";

It does pretty well and give me a result called 'autocomplete' in my form. The problem is, I wanna make it more complex, I want my autocomplete filter the data selection not only by material_name but also with material_tools_group and show me exactly the material_name which is filtered by material_group = 'Measuring' OR 'Tools'.

The point is, I want to make this query works with my autocomplete. So here is my new query :

$query ="SELECT * 
         FROM material_tools_master_data 
         WHERE `material_tools_group` = 'Measuring' OR 'Tools' AND `material_name` like '" . $_POST["keyword"] . "%' 
         ORDER BY material_code LIMIT 0,50";

The query above is not working, the query above is giving me all the material_name rows in the table.

Any help will be much appreciated.

RST
  • 3,899
  • 2
  • 20
  • 33
M Ansyori
  • 429
  • 6
  • 21
  • 2
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 10 '16 at 16:24
  • What exactly do you mean in the question title by "MySQL 3"? Surely you're not actually using version 3 of MySQL, right? Not in 2016? – Simba Jun 10 '16 at 16:26
  • 1
    Your second query should throw syntax errors because you cannot do `WHERE material_tools_group = 'Measuring' OR 'Tools'`. It would have to be `WHERE (material_tools_group = 'Measuring' OR material_tools_group = 'Tools')` – Jay Blanchard Jun 10 '16 at 16:28
  • @JayBlanchard, Ikr, I wanted to switch to mysqli but it takes a long time, I'll do that later because it will take a long maintenance and my client won't be happy for that. So do you have any idea to fix the problem? – M Ansyori Jun 10 '16 at 16:28
  • @Simba, I mean '3 Condition in my sql query' not the version of MySQL. – M Ansyori Jun 10 '16 at 16:31

1 Answers1

0

See warnings about PHP's deprecated API, and the proper use of prepared statements above...

$query ="
SELECT * 
  FROM material_tools_master_data 
 WHERE material_tools_group IN('Measuring','Tools') 
   AND `material_name` LIKE '" . $_POST["keyword"] . "%' 
 ORDER 
    BY material_code LIMIT 0,50;
";
Strawberry
  • 33,750
  • 13
  • 40
  • 57
  • Thank you for answering my question. Your query seems to work, and I tried it. But however, the autocomplete shows all result from my table when I typed in the search box (material_name) but not filtered by the material_tools_group. – M Ansyori Jun 10 '16 at 16:38
  • Nope, nevermind. After I double checked the result, your code is working! thanks again. – M Ansyori Jun 10 '16 at 16:42