Re: Problem with passing variable to mssql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please include the list when replying.

William Curry wrote:
Thanx for the quick reply, I left out the concats in my sample here is the exact statement: $qry1 = "SELECT *,CONVERT(Char(24),CALL_ENTRY_DATE,101) as MYDATE from PcarsCallComplete
where Location_address = " .$Location2. " order by CALL_NO";
and as echoed with the $Location2 value inserted: SELECT *,CONVERT(Char(24),CALL_ENTRY_DATE,101) as MYDATE from PcarsCallComplete where Location_address = '1121 800N,TOT,TOT' order by CALL_NO $Location2 is passed in the URL when the user clicks a hyperlink for a certain address record from a list of possible matches. $qry1 returns 0 records in the page, but 10 records in SQL QA. I run the URL var through a stripslashes and add the '%' before inserting it into the string. I've, never used the str_replace function, and generally get the same results with similar statements. baffled

1) The str_replace is necessary to protect against SQL injection attacks. If you don't know what that means, Google it.

2) Are you checking return values for errors? If not, try that.

Aside from that I have no idea. If there are no errors and you are still getting different results from the script and from QA with the same SQL statement then by definition something *is* different.

-Stut

--
http://stut.net/

 >>> Stut <stuttle@xxxxxxxxx> 6/28/2007 8:30 AM >>>
William Curry wrote:
 > I have issues I cant understand passing a sql statement to mssql, most
 > of which work fine, however in some cases, a statement like
 > "SELECT * FROM tblX where value like 'variable%' "  will return 0
 > records when I know they are there. No errors, just 0 records.
> > When I echo the sql string to the page, cut and paste it into SQL query
 > analyzer, the exact same statement returns the expected records.
> > Anyome point me to the answer??

It's over there ----->

Sorry, couldn't resist.

Anyhoo, are you expecting variable to be replaced with the contents of
$variable? If so that's never going to work. Try this instead...

"SELECT * FROM tblX where value like '".str_replace("'", "''",
$variable)."%' "

-Stut

--
http://stut.net/

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux