-1

SQL doesn't read the $customerID variable as a variable. I think the () is the problem because when I remove the first part of () the editor sees the variable as variable but the SQL won't work.

$customerID = $_SESSION['ID'];
$query = $conn->prepare(
         "SELECT * FROM quiz_list 
          WHERE (
                (status = 1 AND shared = 1) 
                OR customer = '$customerID') 
                AND friendly LIKE '%$searchValue%' 
          ORDER BY id LIMIT 25;"
         );

$query->execute();
Martin
  • 22,212
  • 11
  • 70
  • 132
  • why are you using a prepared statement but yet not using parameters? Kind of defeats the point of it. This is potentially vulnerable to SQL injection attacks. As for your issue, I can't really understand what you're saying - what does "I think" mean - what actual behaviour do you get in this scenario, as opposed to the scenario where you remove an (unspecified) set of brackets from somewhere? And in that second scenario, what does "doesn't work" mean? Error? Some other unexpected behaviour? We have no clear idea what is happening. – ADyson May 08 '18 at 13:40
  • I think you are trying to do something like here: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Edwin May 08 '18 at 13:40

1 Answers1

0

When you prepare a statement you should use placeholders for you parameters. These placeholders are then bound to the prepared statement in a second call, before executing the statement.

$query = $conn->prepare("SELECT * FROM quiz_list WHERE ((status = 1 and shared = 1) OR customer = '?') AND friendly LIKE '%?%' ORDER BY id LIMIT 25;");
$query->bind_param('is', $customerID, $searchValue);
$query->execute()

For a more elaborate example look at the mysqli prepare documentation

Jonathan
  • 748
  • 3
  • 20