php/mysql search query syntax

Question

I have a problem with my search query, $s_query. The user can search a type (Date, Title, or Location) which corresponds to a colum in my mysql database

$search_type =mysql_real_escape_string($_POST['type']);
$search_query =mysql_real_escape_string($_POST['search_query']);

if ($search_query == "") {
  echo "<p>Please enter a search...</p>";
  exit;}

$s_query = "SELECT * FROM `posts` WHERE `$search_type` == `$search_query` ";

$s_result1=mysql_query($s_query);

if (!$s_result1) {
    die('Invalid query: ' . mysql_error());
    //header ("Location: /UC_page.html");
}

$s_row = mysql_fetch_array($s_result1);
$s_num1=mysql_numrows($s_result1);
mysql_close();

mysql_error says: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '== 1956'

i have tried every operator possible and every kind of syntax i could find, but im stuck. at one point i got the date to work, but not any of the strings. thanks in advance.

Answer 1

This might help you understand what query MySQL is expecting:

$s_query = "SELECT * FROM `posts` WHERE `" . $search_type . "` = " . $search_query;

Also make sure you add the necessary quotes to $search_query. EG: If it is a string then surround it with '.

Answer 2

Actually you have two problems. First, you're surrounding your value with `, which is invalid. Use " or ' instead.

Also, == is not valid syntax, you need to use a single = instead. Although, looking at what you're doing, you probably want to use LIKE instead, for a case-insensitive search.

So this query should work:

SELECT * FROM `posts` WHERE `$search_type` = '$search_query'

Or with LIKE:

SELECT * FROM `posts` WHERE `$search_type` LIKE '$search_query'

Answer 3

You are putting ` (on top of the tab button) around your insert value. Those only go on the field. YOu shoudl use ' (on top of the slash button) for the value.