SQL syntax error when completing query on a database

Question

I'm trying to search a video database for information about them. everything is in one page. There are no external form posting into this one, its located on this page.

<?php
$connection = mysql_connect("localhost","root","Oliver") or die (mysql_error());

mysql_select_db("videos", $connection) or die (mysql_error());

$sql = "SELECT * FROM videos";

if (isset($_POST['search'])){
  $search_term = mysql_real_escape_string($_POST['search_box']);

  $sql .= "WHERE name LIKE '{$search_term}'";
}

$query = mysql_query($sql) or die(mysql_error());

?>
<html>
<form name="search_form" method="POST" action="display_data.php">
  <input type="text" name="search_box" placeholder="Search..."/>
  <input type="submit" name="search" value="Search"/>
</form>
<table style="width:70%; cellpadding:5 cellspace:6">

<tr>
  <td><strong>Film ID</strong></td>
  <td><strong>Name</strong></td>
</tr>
<?php while ($row = mysql_fetch_array($query)) {?>
  <tr>
    <td><?php echo $row['ID']; ?></td>
    <td><?php echo $row['name']; ?></td>
  </tr>


<?php } ?>

</table>
</html>

But I get the following error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIKE 'Walking'' at line 1

walking is just the search term.

Answer 1

You should echo $query out before you actually run it, copy the output and run it in a mysql session directly. I'm guessing it will tell you that you need a space before the "WHERE" keyword.

Oh, and mysql_query is deprecated and very dangerous - look at PDO or mysqli instead.

Answer 2

Looks like your problem is the concatination of your strings. The result will be SELECT * FROM videosWHERE name LIKE '{$search_term}' ;

Add a space before WHERE and the error should gone.

You should not longer use the deprecated mysql_* API. Use mysqli_* or PDO with prepared statements to prevent sql-injection.

Answer 3

在您的WHERE子句中简单添加空格，如下所示：

$sql .= " WHERE name LIKE '{$search_term}'";

Answer 4

只需在WHERE之前添加一个空格！

$sql .= " WHERE name LIKE '{$search_term}'";

Answer 5

Your query is

$sql = "SELECT * FROM videos";
$sql .= "WHERE name LIKE '{$search_term}'";

No space between videos and where

You need to add space

$sql .= " WHERE name LIKE '{$search_term}'"; 
         ^

Answer 6

You can use addslashes() function rather then use mysql_real_escape_string() . The quote string with slashes so, it will be very useful to you when you are adding any apostrophe in your field.

I have set php code with above detail, replace with your PHP code section and check.

<?php
$connection = mysql_connect("localhost","root","Oliver") or die (mysql_error());

mysql_select_db("videos", $connection) or die (mysql_error());

//Select statement for query

$sql = " SELECT * FROM videos ";
//Check for request
if (isset($_POST['search'])){
   //Prepare request value for query
   $search_term = addslashes($_POST['search_box']);

   //Where statement
  $sql .= " WHERE name LIKE '" . $search_term . "' ";
}

$query = mysql_query($sql) or die(mysql_error());
?>

I have remove some bug and set addslashes() . Please try this.

And I suggest you, instead of using the old mysql* functions, use PDO and write parameterized queries.

Let me know if require any help from me regarding this.