PDA

View Full Version : Safe, Simple, SQL statement


Dankinit
04-29-2004, 12:24 PM
After reading about sql injection methods on various sites and proper coding techniques from the new vb3 manual, I'm looking over all my code before launching next vb3 version of my site.

What's the proper way to write this statement? As it stands, it doesn't work. I know it's the way i'm using quotes around $letter variable, just wondering the "proper" and safe way to access this. Thanks for any help :)


$letterlisting = $DB_site->query("
SELECT ID,Artist
FROM music
WHERE Artist LIKE '" . $letter . "'
GROUP BY Artist
ORDER BY Artist;
");

Xenon
04-29-2004, 12:30 PM
you have to use parameters when you're using LIKE:
WHERE Artist LIKE '" . $letter . "%'

Dankinit
04-29-2004, 01:36 PM
Thanks, after all that rework i did, i forgot the important "%"! No wonder it wasn't working :) Thanks Xenon.

filburt1
04-29-2004, 01:48 PM
Always wrap any string variable with addslashes() and numeric values with intval() when using them in queries.

Xenon
04-29-2004, 04:04 PM
Thanks, after all that rework i did, i forgot the important "%"! No wonder it wasn't working :) Thanks Xenon.
you're welcome :)