Quote:
Originally Posted by perplexed
Result from adding the echo $sql shows that all three of the form fields are not receiving the values. This means the query reads simply as 'select all' !
SELECT * FROM table WHERE '' LIKE '%%' ORDER BY ''
Incidentally, i've never seen the mysql_real_escape_string mentioned before. Again that shows how long ago it was since i wrote the code. The database whilst being hosted on my website and accessed via a webpage is just for personal use. As a result one needs a username and password to access the search page.
|
Fair enough, but I would recommend the use of mysql_real_escape_string in
ALL cases of user supplied data, password protected or not. It's just a good habit to get into and helps prevent sql injection (Google it for more info).