0

  $whereClauses = array(); 
  if (! empty($_POST['house'])) $whereClauses[] ="type='".mysqli_real_escape_string($conn,$_POST['house'])."'"; 
  if (! empty($_POST['price'])) $whereClauses[] ="rate ".mysqli_real_escape_string($conn,$_POST['price']).""; 
  if (! empty($_POST['any'])) $whereClauses[] ="title or area or postcode LIKE '%".mysqli_real_escape_string($conn,$_POST['any'])."%'"; 
  $where = ''; 
  if (count($whereClauses) > 0) { $where = ' WHERE '.implode(' AND ',$whereClauses); }

I can't seem to get the like statement to work e.g. it wont display any results that match the title column if there is one for the area column, i want all the matches to show. Also whenever i use the 3rd if statement it ignores the first two such as i only want houses that cost over £1000 it will display the ones below that when i use the like.

sql where: WHERE type='House' AND rate > 150 AND title OR area or postcode LIKE '%s%'

S.S
  • 101
  • 10
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Nov 26 '16 at 16:56
  • 2
    The query is invalid, use error reporting and it should tell you that. You could use fulltext searching, then all three columns would be matched against your term. http://dev.mysql.com/doc/refman/5.7/en/fulltext-search.html – chris85 Nov 26 '16 at 16:59
  • 1
    `WHERE type='House' AND rate > 150 AND (title LIKE '%s%' OR area LIKE '%s%' OR postcode LIKE '%s%')` – RiggsFolly Nov 26 '16 at 16:59

0 Answers0