1

How can i put this query to work (it's giving error):

$result = "WHERE attributes like '%"{$GetMarca}"%' ";

I need the double quotes inside the single quotes because i'm searching inside a JSON field named attributes for specific value.

André Castro
  • 1,527
  • 6
  • 33
  • 60
  • 4
    Use prepared queries instead. – Lawrence Cherone Nov 27 '18 at 16:07
  • This query is inside a specific framework, if i could avoid messing to much with the code i would be glad... – André Castro Nov 27 '18 at 16:10
  • Set the value to another variable with the double quotes. – Felippe Duarte Nov 27 '18 at 16:12
  • 2
    Again, **use prepared statements with placeholder values**. Can you be more specific about what framework you're using? Each one has a slightly different approach but the principle is the same. The goal here is to never introduce user data directly in the query. `WHERE attributes LIKE ?` and then bind that to`"%$GetMarca%"`. – tadman Nov 27 '18 at 16:12
  • 1
    @FelippeDuarte That's just making this already bad injection bug worse. – tadman Nov 27 '18 at 16:12

1 Answers1

-1

Try to escape your String.

$result = "WHERE attributes like '%\"" . $GetMarca . "\"%'";

The \ character escape the " character.

explained here in more detail for 'escape': What does it mean to escape a string?

Section
  • 75
  • 3
  • This substitutes interpolation for concatenation which isn't necessary. If you're escaping for SQL it's also **extremely important** to use the proper MySQL escaping function which this does not do. Answers like this provide a superficial quick-fix but also create huge liabilities, so please, be very, very careful when giving this sort of advice. – tadman Nov 27 '18 at 19:38