发表新帖
发表新帖

How do I create a PDO parameterized query with a LIKE statement?

后端 未结
关注
7 1185
眼角桃花
眼角桃花 2020-11-22 04:47

Here\'s my attempt at it:

$query = $database->prepare(\'SELECT * FROM table WHERE column LIKE \"?%\"\');

$query->execute(array(\'value\'));

while ($r
相关标签:
7条回答
  • 闹比i
    2020-11-22 04:59

    I got this from php delusions

    $search = "%$search%";
$stmt  = $pdo->prepare("SELECT * FROM table WHERE name LIKE ?");
$stmt->execute([$search]);
$data = $stmt->fetchAll();

    And it works for me, very simple. Like he says , you have to "prepare our complete literal first" before sending it to the query

    0 讨论(0)
  • 你的背包
    2020-11-22 05:02

    You can also try this one. I face similar problem but got result after research.

    $query = $pdo_connection->prepare('SELECT * FROM table WHERE column LIKE :search');

$stmt= $pdo_connection->prepare($query);

$stmt->execute(array(':search' => '%'.$search_term.'%'));

$result = $stmt->fetchAll(PDO::FETCH_ASSOC);

print_r($result);
    0 讨论(0)
  • 甜味超标
    2020-11-22 05:06

    Figured it out right after I posted:

    $query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
$query->execute(array('value%'));

while ($results = $query->fetch())
{
    echo $results['column'];
}
    0 讨论(0)
  • 我在风中等你
    2020-11-22 05:08

    For those using named parameters, here's how to use LIKE with % partial matching for MySQL databases: 

    WHERE column_name LIKE CONCAT('%', :dangerousstring, '%')

    where the named parameter is :dangerousstring.

    In other words, use explicitly unescaped % signs in your own query that are separated and definitely not the user input.

    Edit: Concatenation syntax for Oracle databases uses the concatenation operator: ||, so it'll simply become:

    WHERE column_name LIKE '%' || :dangerousstring || '%'

    However there are caveats as @bobince mentions here that:

    The difficulty comes when you want to allow a literal % or _ character in the search string, without having it act as a wildcard.

    So that's something else to watch out for when combining like and parameterization.

    0 讨论(0)
  • 遥遥无期
    2020-11-22 05:16

    PDO escapes "%" (May lead to sql injection): The use of the previous code will give the desire results when looking to match partial strings BUT if a visitor types the character "%" you will still get results even if you don't have anything stored in the data base (it may lead sql injections)

    I've tried a lot of variation all with the same result PDO is escaping "%" leading unwanted/unexcited search results.

    I though it was worth sharing if anyone has found a word around it please share it

    0 讨论(0)
  • 礼貌的吻别
    2020-11-22 05:17 
    $query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
$query->bindValue(1, "%$value%", PDO::PARAM_STR);
$query->execute();

if (!$query->rowCount() == 0) 
{
    while ($results = $query->fetch()) 
    {
        echo $results['column'] . "<br />\n";
    }       
} 
else 
{
    echo 'Nothing found';
}
    0 讨论(0)
 看不清?
提交回复
热议问题