error when searching for certain keywords using query module
Development and Programming
Hi
I put together the following script using the query module:
{exp:query limit="10" sql="SELECT * FROM sti_channel_titles WHERE title LIKE '%{segment_3}%' AND sti_channel_titles.channel_id !='2' ORDER BY entry_date DESC"}
{title}
{/exp:query}The problem is that i get the following error if segment 3 is the word “leave”.
Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\intranet\administration\expressionengine\libraries\Functions.php(656) : eval()'d code on line 110If i change the word to anything else i get results. Does anybody know why this happens.
Thank you Nathaniel Hamann
I’d guess it’s because leave is a SQL command and that segment isn’t being properly sanitized before the query’s executed.
I’m not sure what the best practice is for sanitizing data for the query module, however, I’d guess a bit of googling would point you in the right direction.
But then as Query is a EE module would they not have thought about sanitizing queries being sent via the module? I cant seem to get this working correctly, can anybody help?
I have also tried the below manual PHP script in the opening tag and still get the same problem.
{exp:channel:entries channel="gallery|article|calendar_events|maps|page|document_repository|news|links|vacancy" entry_id="
<?php
$title = $this->EE->db->escape_str("{segment_3}");
$sql = "SELECT sti_channel_titles.entry_id FROM sti_channel_titles WHERE sti_channel_titles.title LIKE '%".$title."%' AND sti_channel_titles.channel_id !='2' GROUP BY sti_channel_titles.entry_id ORDER BY RAND() LIMIT 100";
$query = $this->EE->db->query($sql);
if ($query->num_rows() > 0)
{
foreach($query->result_array() as $row)
{
echo $row['entry_id'].'|';
}
}
?>
" }