Friends, In the table there is a column name. The table has a record, for example, "Ivanov Roman Kapranovich"

The task is to create such a query that would be able to output this line "Ivanov Roman Kapranovich" if the required phrase, for example, only 4 characters - "Ivan". At the moment I am testing everything with a request in this format:

SELECT * FROM users WHERE MATCH (name) AGAINST ('".$_GET['user']."' IN BOOLEAN MODE)

But as practice has shown, this request does not find what I need. It only works if the required phrase is completely written, without errors and in its entirety (thank God that it does not respond to the register). But my task is to do a search with a half-word.

  • one
    SELECT * FROM users WHERE LOWER(name) like '%иван%' ? - nobody

2 answers 2

Understood. Here is the correct query format to search for any occurrence of the string:

 SELECT * FROM users WHERE MATCH (name) AGAINST ('*".$_GET['user']."*' IN BOOLEAN MODE)
  • curl "http://somewhere/index.php?user='); DROP TABLE users; --" - and sarzu example SQL injection - etki
  • The guys inserted someone else's code. it is clear that all the data is being processed, I didn’t focus on it, purely on the search) nobody writes like that :) - WhoIsDT

' ". $ _ GET [' user ']." 'Oh my goodness, SQL Injection is pure!

Never substitute raw data from the request to the database !!!

Integer data is processed (int)$_GET['id'] , tenits (float)$_GET['price'] , strings, ideally mysqli_real_escape_string , or at worst addslashes addslashes($_GET['string']) and be sure to insert must be in single quotes. To screen a quote in a request, you need to put a backslash \ in front of it.

 'SELECT * FROM `users` WHERE MATCH (`name`) AGAINST (\'*'.addslashes($_GET['user']).'*\' IN BOOLEAN MODE)';

But you are not using the optimal query. This is done easier and faster through LIKE , provided that you have your table or user field created with the attribute CHARACTER SET utf8 COLLATE utf8_general_ci , that is, case-insensitive unicode.

 'SELECT * FROM `users` WHERE `name` LIKE \'%'.addslashes($_GET['user']).'%\'';