-2

In my PHP - Codeigniter function(), I gave the following command:

function get_cust($search='David')
{
$query = 'select pp.first_name from Cust pp where'; 
$query .= ' pp.first_name LIKE "%'.$search.'%")';
print_r(mysql_real_escape_string($query));
}

But while i executed the output in browser:

select pp.first_name from Cust pp where pp.first_name LIKE 'Úvid%'

Is it anyway so i can get it like:

select pp.first_name from Cust pp where pp.first_name LIKE '%David%'

I have tried using addslashes(), mysql_real_escape_string() as well.

Deepak Keynes
  • 2,291
  • 5
  • 27
  • 56

1 Answers1

-1
  1. Move away from mysql_* extensions. They are remove completely from PHP 7. Switch to either mysqli extension or PDO. Better use prepared statements, to avoid SQL injection issues.
  2. You should do escaping on the parameter, not the whole query.
  3. You should use single quotes around the parameter, even with mysqli_real_escape_string, to prevent SQL injection.
  4. Set your character set to UTF-8.

Find below the changed function, utilizing mysqli_real_escape_string: 

function get_cust($search='David')
{
    $query = "select pp.first_name from Cust pp where"; 
    $query .= " pp.first_name LIKE '%".mysqli_real_escape_string($search)."%')";
    print_r($query);
}
Madhur Bhaiya
  • 28,155
  • 10
  • 49
  • 57
  • Not my downvote, but I feel that just answering the question as-is without actually using `mysqli` or `PDO` and concatenation is a *bad idea*. – Phylogenesis Sep 05 '18 at 10:29
  • @Phylogenesis well I have already mentioned OP to move to mysqli or PDO with proper references. – Madhur Bhaiya Sep 05 '18 at 10:30
  • But 99% of people asking this question in Google/Bing are going to look at the code provided and just copy that without reading all the provisos. It just leads to more bad code. – Phylogenesis Sep 05 '18 at 10:31
  • @Phylogenesis edited to use `mysqli_real_escape_string instead`. – Madhur Bhaiya Sep 05 '18 at 10:33
  • Guys Rather than giving a minus vote, why dont you guys edit my question? – Deepak Keynes Sep 05 '18 at 10:34
  • But that's still objectively *wrong*. Give an example that actually uses prepared statements. – Phylogenesis Sep 05 '18 at 10:34
  • @Phylogenesis Well as long as character set is UTF-8 and mysqli_real_escape_string is used properly with single quotes, there is no SQL injection issue. Prepared statement are better; but people still use mysqli based statements (without prepare) as long as few restrictions are well taken care of – Madhur Bhaiya Sep 05 '18 at 10:35
  • This is an example where not using prepared statements is wrong. It's way too easy to forget to do something properly and you then have a massive SQL injection waiting to be exploited. – Phylogenesis Sep 05 '18 at 10:37
  • @MadhurBhaiya, I am having PHP 5.4 in my local machine. Kindly give me a way in PHP 5.4 – Deepak Keynes Sep 05 '18 at 10:51
  • @Keynes it is php 5.4 way only. You will need to switch to using mysqli_* extension. In the code where you are creating Mysql connection, you will need to switch to using mysqli extension there. If you could give details of that area of the code, I could change and give further explanation here – Madhur Bhaiya Sep 05 '18 at 11:03