0

Helo, I'm trying to select a column from my SQL database. I've put a form and got the data and then put it into a variable.

But when I try to check the equality of the condition with my SQL database, it doesn't work. I want to check the strict equality of the data stocked in the search variable so I've used =.

I don't really know how to compare the column with a variable for equality.

if(isset($_GET['s']) AND !empty($_GET['s']));{
    $search =  htmlspecialchars($_GET['s']);

    $result = $bdd->query('SELECT * FROM table WHERE column = '.$search.'' ) ;
}
el ton
  • 1
  • 1
  • [What do you mean "It doesn't work"?](https://meta.stackexchange.com/questions/147616/what-do-you-mean-it-doesnt-work). But yeah, this code is a SQL injection and/or syntax error waiting to happen - learn to use prepared statements and parameters. – ADyson Aug 03 '22 at 12:38
  • `htmlspecialchars` is an output filter, not an input filter. It's only useful when outputting the data into a HTML document (to help prevent XSS attacks). It has no value when used with a database query, and could in fact corrupt the data being used in the search, leading to it not finding any results. – ADyson Aug 03 '22 at 12:38
  • Thank you, I think I'll learn how to use properly MYSQL before continuing. – el ton Aug 03 '22 at 12:54
  • if(isset($_GET['s'])){ if ($_GET['s'] != "") { $search = htmlspecialchars($_GET['s']); $result = $bdd->query("SELECT * FROM table WHERE column = '".$search."' ) ; } else { // redirect to index page } } – Yasir Mehmood Aug 03 '22 at 12:55
  • @YasirMehmood no, that's still vulnerable to SQL injection attacks and silly syntax errors, and still uses htmlspecialchars inappropriately. Please join the OP in learning to do these things properly. – ADyson Aug 03 '22 at 12:58

0 Answers0