
This is a common way of building queries—by concatenating the variable
portions of the query with the static portions. With this example, the query is
expecting a string from the browser, so it first builds the select statement with the
initial leading single quote necessary. It then reads the post data from the request
and appends the value specified in the “Search” parameter to the query. It finally
appends the final trailing single quote it needs.
Let’s look at the way various inputs affect this statement. Remember that the
base query is:
Select patient_records from tblPatients where user_search='input'
So if the data entered into the “Search” post data ...