Just use PHP's string searching functions. I had a similar situation where I was inserting user-provided data into a MySQL database. I searched for MySQL "bad words" that I didn't want a hacker to insert into queries, such as DELETE, ADD, INSERT, MODIFY, etc. to prevent mischief. FYI, you can dispense with the tidy-up by adding "1" in your pre-pend phrase and moving the AND to the front of your query. Such as: $sql_text .= " AND column1 LIKE '%$s_a[$s_a_i]%' OR column2 LIKE '%$s_a[$S_a_i]%' "; Then pre-pend with: $sql_text = "SELECT id, columnx, columny FROM sometable WHERE 1" . $sql_text; This will save a few milli-seconds because PHP will not have to execute the "substr($sql_text, 0, strlen($sql_text)-4)" functionality. -----Original Message----- From: Dave Watkinson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 5:26 AM To: PHP-DB List (E-mail) Subject: [PHP-DB] Help Please! Complex AND OR LIKE queries MySQL/PHP Hi everyone I need to write a small search script for our admin site (and eventually for the "outsiders" too!). There's a text box where the user types in what they're searching for. It's easy enough to parse their string into an array and create the query from it, for example <user typed in HTML Java Oracle, separated by spaces> $s_a = explode(" ", $user_input); for ($s_a_i=0; $s_a_i<= sizeof($s_a); $s_a_i++) { $sql_text .= " column1 LIKE '%$s_a[$s_a_i]%' OR column2 LIKE '%$s_a[$S_a_i]%' AND "; } and then tidy it up by adding // remove trailing AND $sql_text = substr($sql_text, 0, strlen($sql_text)-4); // prepend start of sql command $sql_text = "SELECT id, columnx, columny FROM sometable WHERE " . $sql_text; and then running the query. However, what I need to be able to do is detect if people have typed in the words AND OR or NOT and handle them appropriately, also remembering that I'll be searching TWO columns in the table every time. Are there perhaps any functions I can get for this? Or is there a really easy way I can do it that's escaped (scuse the pun!) me? Many thanks in advance Dave -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
