problems with sprintf and escaping %

i have the following query:

$query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
$ordenada";

which i'm trying to change to sprintf to use mysql_real_escape_string
since i've heard that it's better and a more secure way to do queries
, like so:

$query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
'%s'",
mysql_real_escape_string($campo),
mysql_real_escape_string($busqueda),
mysql_real_escape_string($ordenada)
);

the problem is that i lack the % before and after the $busqueda.
i read that i should escape twice the % ( like so?):

$query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%%%s%%' ORDER BY
'%s'",
etc...

but obviously i'm doing something wrong since i get 0 results.

how do i express the query above with sprintf, and how do escape
correctly the %?

thank you very much,

NN

Re: problems with sprintf and escaping %

NN wrote:
> i have the following query:
>
> $query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
> $ordenada";
>
> which i'm trying to change to sprintf to use mysql_real_escape_string
> since i've heard that it's better and a more secure way to do queries
> , like so:
>
> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
> '%s'",
> mysql_real_escape_string($campo),
> mysql_real_escape_string($busqueda),
> mysql_real_escape_string($ordenada)
> );
>
> the problem is that i lack the % before and after the $busqueda.
> i read that i should escape twice the % ( like so?):
>
> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%%%s%%' ORDER BY
> '%s'",
> etc...
>
> but obviously i'm doing something wrong since i get 0 results.
>
> how do i express the query above with sprintf, and how do escape
> correctly the %?
>
> thank you very much,
>
> NN
>

Did you try echoing the SQL to see what it actually looks like?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: problems with sprintf and escaping %

NN wrote:
> i have the following query:
>
> $query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
> $ordenada";
>
> which i'm trying to change to sprintf to use mysql_real_escape_string
> since i've heard that it's better and a more secure way to do queries
> , like so:
>
> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
> '%s'",
> mysql_real_escape_string($campo),
> mysql_real_escape_string($busqueda),
> mysql_real_escape_string($ordenada)
> );
>
> the problem is that i lack the % before and after the $busqueda.
> i read that i should escape twice the % ( like so?):
>
> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%%%s%%' ORDER BY
> '%s'",
> etc...
>
> but obviously i'm doing something wrong since i get 0 results.
>
> how do i express the query above with sprintf, and how do escape
> correctly the %?
>
> thank you very much,
>
> NN
>

Did you try echoing the SQL to see what it actually looks like?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: problems with sprintf and escaping %

On Thu, 10 Apr 2008 22:21:30 -0400, Jerry Stuckle
wrote:

>NN wrote:
>> i have the following query:
>>
>> $query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
>> $ordenada";
>>
>> which i'm trying to change to sprintf to use mysql_real_escape_string
>> since i've heard that it's better and a more secure way to do queries
>> , like so:
>>
>> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
>> '%s'",
>> mysql_real_escape_string($campo),
>> mysql_real_escape_string($busqueda),
>> mysql_real_escape_string($ordenada)
>> );
>>
>> the problem is that i lack the % before and after the $busqueda.
>> i read that i should escape twice the % ( like so?):
>>
>> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%%%s%%' ORDER BY
>> '%s'",
>> etc...
>>
>> but obviously i'm doing something wrong since i get 0 results.
>>
>> how do i express the query above with sprintf, and how do escape
>> correctly the %?
>>
>> thank you very much,
>>
>> NN
>>
>
>Did you try echoing the SQL to see what it actually looks like?

thank you very much jerry. just by echoing the $query i realized that
i had missused the single quotes.

this query solved the problem:
$query = sprintf("SELECT * FROM cds WHERE %s LIKE '%%%s%%' ORDER BY
%s",

thanks again,

NN

Re: problems with sprintf and escaping %

On Thu, 10 Apr 2008 22:21:30 -0400, Jerry Stuckle
wrote:

>NN wrote:
>> i have the following query:
>>
>> $query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
>> $ordenada";
>>
>> which i'm trying to change to sprintf to use mysql_real_escape_string
>> since i've heard that it's better and a more secure way to do queries
>> , like so:
>>
>> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
>> '%s'",
>> mysql_real_escape_string($campo),
>> mysql_real_escape_string($busqueda),
>> mysql_real_escape_string($ordenada)
>> );
>>
>> the problem is that i lack the % before and after the $busqueda.
>> i read that i should escape twice the % ( like so?):
>>
>> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%%%s%%' ORDER BY
>> '%s'",
>> etc...
>>
>> but obviously i'm doing something wrong since i get 0 results.
>>
>> how do i express the query above with sprintf, and how do escape
>> correctly the %?
>>
>> thank you very much,
>>
>> NN
>>
>
>Did you try echoing the SQL to see what it actually looks like?

thank you very much jerry. just by echoing the $query i realized that
i had missused the single quotes.

this query solved the problem:
$query = sprintf("SELECT * FROM cds WHERE %s LIKE '%%%s%%' ORDER BY
%s",

thanks again,

NN

Re: problems with sprintf and escaping %

NN wrote:
> i have the following query:
>
> $query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
> $ordenada";
>
> which i'm trying to change to sprintf to use mysql_real_escape_string
> since i've heard that it's better and a more secure way to do queries
> , like so:
>
> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
> '%s'",
> mysql_real_escape_string($campo),
> mysql_real_escape_string($busqueda),
> mysql_real_escape_string($ordenada)
> );

In php you could also use:

$query="SELECT * FROM cds WHERE '.mysql_real_escape_string($campo)."' LIKE
'".mysql_real_escape_string($busqueda)."' ORDER BY
".mysql_real_escape_string($ordenada);

I would use sprintf if I want to formate the indata in another way than what
you have in the "variables", for example if you have a float with 10 decimals
and you only want to show two.



--

//Aho

Re: problems with sprintf and escaping %

NN wrote:
> i have the following query:
>
> $query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
> $ordenada";
>
> which i'm trying to change to sprintf to use mysql_real_escape_string
> since i've heard that it's better and a more secure way to do queries
> , like so:
>
> $query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
> '%s'",
> mysql_real_escape_string($campo),
> mysql_real_escape_string($busqueda),
> mysql_real_escape_string($ordenada)
> );

In php you could also use:

$query="SELECT * FROM cds WHERE '.mysql_real_escape_string($campo)."' LIKE
'".mysql_real_escape_string($busqueda)."' ORDER BY
".mysql_real_escape_string($ordenada);

I would use sprintf if I want to formate the indata in another way than what
you have in the "variables", for example if you have a float with 10 decimals
and you only want to show two.



--

//Aho