-2

am trying to make an advanced search form for my site and I want to get only rows with uploaded videos links and check if the title and description is equal to the search query I tried :

SELECT `id` 
FROM `posts` 
WHERE `file` LIKE '%video%' 
AND `title` LIKE '%{$search_query}%' 
OR `description` LIKE '%{$search_query}%';

But in this case, MySQL returns all the rows that contain the search query in their description or title regardless of whether the 'file' column contains "video" or not and I want it to return only matches with video files how can I achieve that?

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Yazan Yazan
  • 1
  • 1
  • Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) You should always use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenating user provided values into the query. Never trust ANY user input! – RiggsFolly Feb 21 '22 at 18:17
  • If you use AND and OR in the same WHERE clause, always us brackets to ensure the correct intension is given to MySQL – RiggsFolly Feb 21 '22 at 18:18
  • `WHERE \`file\` LIKE '%video%' AND ( \`title\` LIKE '%{$search_query}%' OR \`description\` LIKE '%{$search_query}%';)` – RiggsFolly Feb 21 '22 at 18:19
  • @RiggsFolly thank u so much for the advice am using `mysqli_real_escape_string` and another function to clean all the $_GET and $_POST strings on my script. – Yazan Yazan Feb 21 '22 at 18:40
  • Read the first comment again Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) – RiggsFolly Feb 21 '22 at 19:29

1 Answers1

0

You skipped parentheses

SELECT `id` 
  FROM `posts` 
 WHERE `file` LIKE '%video%' 
   AND (`title` LIKE '%{$search_query}%' 
    OR `description` LIKE '%{$search_query}%');
Svyatoslav Kuznetsov
  • 397
  • 1
  • 7