i have the following query:
$query = "SELECT * FROM cds WHERE $campo LIKE ('%$busqueda%') ORDER BY
$ordenada";
which i'm trying to change to sprintf to use mysql_real_escape_string
since i've heard that it's better and a more secure way to do queries
, like so:
$query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%s' ORDER BY
'%s'",
mysql_real_escape_string($campo),
mysql_real_escape_string($busqueda),
mysql_real_escape_string($ordenada)
);
the problem is that i lack the % before and after the $busqueda.
i read that i should escape twice the % ( like so?):
$query = sprintf("SELECT * FROM cds WHERE '%s' LIKE '%%%s%%' ORDER BY
'%s'",
etc...
but obviously i'm doing something wrong since i get 0 results.
how do i express the query above with sprintf, and how do escape
correctly the %?
thank you very much,
NN
