Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

docmd.close 2585, WWWXXXAPC, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text, how to setup procmail html2text, WWWXXXAPC., XXXCNZZZ

Links

XODOX
Impressum

#1: problems with sprintf and escaping %

Posted on 2008-04-11 03:50:50 by nn

i have the following query:

$query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
$ordenada";

which i'm trying to change to sprintf to use mysql_real_escape_string
since i've heard that it's better and a more secure way to do queries
, like so:

$query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
'%s'",
mysql_real_escape_string($campo),
mysql_real_escape_string($busqueda),
mysql_real_escape_string($ordenada)
);

the problem is that i lack the % before and after the $busqueda.
i read that i should escape twice the % ( like so?):

$query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%%%s%%' ORDER BY
'%s'",
etc...

but obviously i'm doing something wrong since i get 0 results.

how do i express the query above with sprintf, and how do escape
correctly the %?

thank you very much,

NN

Report this message