1

I'd like to be able to filter the following data based on the companyID column:

companyID | title | address
    1         a        a
    1         b        b
    1         c        c
    2         d        d
    3         e        e

Here is my sql query but it didn't work.

$ID = $_GET['id'];
$valueToSearch = $_POST['valueToSearch'];
$query = "SELECT * FROM table WHERE companyID = '$ID' CONCAT(`title`) LIKE '%" . $valueToSearch ."%'";
dubs
  • 6,511
  • 4
  • 19
  • 35
MOJOJO
  • 85
  • 1
  • 1
  • 11
  • 1
    Please try it and let me know – behkod Mar 02 '17 at 04:48
  • Are you populating `GET` and `POST`? You are open to SQL injections. The `CONCAT` doesn't make sense and you need and `AND` or `OR` to join the two conditions. – chris85 Mar 02 '17 at 04:49
  • Is this a syntax issue? – wahwahwah Mar 02 '17 at 04:54
  • @chris85 By the way what is SQL Injection? – MOJOJO Mar 02 '17 at 04:57
  • `SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).`-https://en.wikipedia.org/wiki/SQL_injection Since you are just putting user data directly into your query you are opening yourself to this. Use parameterized queries. Also use error reporting, the missing `AND` would have thrown an error. – chris85 Mar 02 '17 at 05:03
  • thank you @chris85 for the info. – MOJOJO Mar 02 '17 at 05:08

1 Answers1

0
  1. As $ID is of integer type, you should remove quotations around it.

  2. For searching in title column, you dont need CONCAT.

    $query = "SELECT * FROM table WHERE `companyID` = $ID AND `title` LIKE '%" . $valueToSearch ."%'";
behkod
  • 2,647
  • 2
  • 18
  • 33