-2

i have database table with reservoir details. these reservoirs are categorized to 18 types according to their characters. each reservoir has unique code (reservoir code). then i need to find and display these reservoirs based on their type. i use form to select reservoir type and submit to PHP page and display reservoir list ORDER BY reservoir code. I use following code.

`

<?php
if (isset($_POST['submit1'])) {

$errors = array();

  $discode = $_REQUEST['discode'];
  $restype = $_REQUEST['restype'];

  $resreq= $discode.$restype;

$sql = "SELECT * FROM resourcelist WHERE rescode LIKE '$resreq__' ORDER BY rescode  ";

$result = $con->query($sql);

     ?>
<form action="" method="post" enctype="multipart/form-data" >       
<table class="table table-hover table-striped table-responsive">
    <thead>
        <tr>
        <th>ID</th>
        <th>Resource Type</th>
        <th>Reservoir Name</th>
        <th>Reservoir Code</th>
    </tr>
    </thead>
    <tbody> 
        <?php
            if ($result->num_rows > 0) {
                while ($row = $result->fetch_assoc()) {
        ?>
                    <tr>
                    <td><?php echo $row['id']; ?></td>         
                    <td><?php echo $restype; ?></td>
                    <td><?php echo $row['cultsysname']; ?></td>
                    <td><?php echo $row['rescode']; ?></td>
                    
                    </tr>                       

        <?php       }

            }
}
        ?> 
        </tbody>
        </table>
    </form>

` but it give empty results.

i try to use

$sql = "SELECT * FROM resourcelist WHERE rescode LIKE CONCAT($resreq,'_') ORDER BY rescode "; but when use

$sql = "SELECT * FROM resourcelist WHERE rescode LIKE '$resreq%') ORDER BY rescode ";

give result with other categories rescode with same characters with extra letters.

what will be the issue? please help to solve this. Thanks,

DusanthaM
  • 3
  • 3
  • That is the right way: `'{$resreq}__'` – Foobar Dec 15 '22 at 16:59
  • We need a glimps of the data you try to filter on – theking2 Dec 15 '22 at 17:28
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Dec 15 '22 at 18:20

1 Answers1

0

You need to delimit the variable so that the underscores will not be treated as part of the variable name, e.g. {$resreq}__.

However, you should not substitute variables directly into SQL queries, as this opens you up to SQL-injection attacks. Use a prepared statement with parameters. Then you can use CONCAT() to concatenate _ or % to the regexp.

$sql = "SELECT * FROM resourcelist WHERE rescode LIKE CONCAT(?, '__') ORDER BY rescode";
$stmt = $con->prepare($sql);
$stmt->bind_param("s", $resreq);
$stmt->execute();
$result = $stmt->get_result();
Barmar
  • 741,623
  • 53
  • 500
  • 612