LIKE with dynamic strings

Asked Sep 04 '13 at 18:18

Active Sep 04 '13 at 19:05

Viewed 73 times

I'm currently working on a twitter-like mention function, where you can see, if you got mentioned somewhere. You normally can mention someone by writing '@James Hi, what's up' - So I just used

$yourusername = $_SESSION['username'];    
$result = $db->query("SELECT * FROM posts WHERE content LIKE '%@".$yourusername."' ORDER by id");

This code is searching for entries containing '@YourUsername'. The problem here is, that it also shows me mentions of @YourUsername2 and @YourUsername3 - I've already tried it by adding spaces, but as you know, people will also do '@James, you ol' bastard :)' or '@James!!!!!'

Edit: This is not my real code, I know how to prevent SQL-injections and that stuff and I'm using it. This is just for keeping the code simple.

edited Sep 04 '13 at 18:53

Mikhail Shcherbakov

1,826
16
22

asked Sep 04 '13 at 18:18

Gap

3

Warning: SQL Injection. Learn how to use prepared statements – Barranka Sep 04 '13 at 18:20
You can use regex in mysql. Select the username followed by a special character? (And also, sql injections.) – Callombert Sep 04 '13 at 18:20
but regex's are slow, you might not want that – Martijn Sep 04 '13 at 18:21
1

@Brarranka: You have no clue where `$yourusername` is coming from. If you are sure it is safe, a normal query will do just find. Allthough, chances are this is userinput :) – Martijn Sep 04 '13 at 18:23
http://stackoverflow.com/questions/5743177/mysql-how-to-search-for-exact-word-match-using-like – Martijn Sep 04 '13 at 18:27

LIKE with dynamic strings

0 Answers0