Just use PHP's string searching functions.  I had a similar situation where
I was inserting user-provided data into a MySQL database.  I searched for
MySQL "bad words" that I didn't want a hacker to insert into queries, such
as DELETE, ADD, INSERT, MODIFY, etc. to prevent mischief.

FYI, you can dispense with the tidy-up by adding "1" in your pre-pend phrase
and moving the AND to the front of your query.  Such as:
   $sql_text .= " AND  column1 LIKE '%$s_a[$s_a_i]%' OR column2 LIKE
'%$s_a[$S_a_i]%' ";

Then pre-pend with:  
$sql_text = "SELECT id, columnx, columny FROM sometable WHERE 1" .

This will save a few milli-seconds because PHP will not have to execute the
"substr($sql_text, 0, strlen($sql_text)-4)" functionality.

-----Original Message-----
From: Dave Watkinson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 5:26 AM
To: PHP-DB List (E-mail)
Subject: [PHP-DB] Help Please! Complex AND OR LIKE queries MySQL/PHP

Hi everyone
I need to write a small search script for our admin site (and eventually
for the "outsiders" too!). There's a text box where the user types in
what they're searching for. It's easy enough to parse their string into
an array and create the query from it, for example
<user typed in HTML Java Oracle, separated by spaces>
$s_a = explode(" ", $user_input);
for ($s_a_i=0; $s_a_i<= sizeof($s_a); $s_a_i++) {
    $sql_text .= " column1 LIKE '%$s_a[$s_a_i]%' OR column2 LIKE
'%$s_a[$S_a_i]%' AND ";
and then tidy it up by adding
//    remove trailing AND
$sql_text = substr($sql_text, 0, strlen($sql_text)-4);
//    prepend start of sql command
$sql_text = "SELECT id, columnx, columny FROM sometable WHERE " .
and then running the query.
However, what I need to be able to do is detect if people have typed in
the words AND OR or NOT and handle them appropriately, also remembering
that I'll be searching TWO columns in the table every time.
Are there perhaps any functions I can get for this? Or is there a really
easy way I can do it that's escaped (scuse the pun!) me?
Many thanks in advance

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to