Search database with special character

Question

How to search the database with special character?

I use this code to as a button

<a href="search.php?search=A & W Restaurants&submit=submit">A & W Restaurants</a>

After that, I use this to search database

$query = mysql_real_escape_string($_GET['search']);

SELECT * FROM table WHERE 1st_column LIKE '%{$query}%'

But the search result show me is empty.

I think is "&" to stop my database query.

any idea on this?

Thanks for advance

Please, oh ***please*** use a prepared statement. http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php — Matt Ball, Dec 30 '11 at 06:07

score 1 · Accepted Answer · edited Dec 30 '11 at 15:35

1

i dont think this url "search.php?search=A & W Restaurants" is vaild

please url encode it - A & W Restaurants

edited Dec 30 '11 at 15:35

Matt Ball

answered Dec 30 '11 at 06:07

user192344

score -1 · Answer 2 · answered Dec 30 '11 at 06:13

-1

try this

SELECT * FROM table WHERE 1st_column='$query'

I don't know about how your setting the search but to get a value colume='to_value' sould work better then like if like is even a select comanned

answered Dec 30 '11 at 06:13

nate

Please don't ever actually try this in code that is exposed to the Internet. It's a textbook SQL-injection vulnerability. – Ian Clelland Dec 30 '11 at 06:56

2 Answers2