How do I create a PDO parameterized query with a LIKE statement?

后端 未结 7 1200
眼角桃花
眼角桃花 2020-11-22 04:47

Here\'s my attempt at it:

$query = $database->prepare(\'SELECT * FROM table WHERE column LIKE \"?%\"\');

$query->execute(array(\'value\'));

while ($r         


        
相关标签:
7条回答
  • 2020-11-22 04:59

    I got this from php delusions

    $search = "%$search%";
    $stmt  = $pdo->prepare("SELECT * FROM table WHERE name LIKE ?");
    $stmt->execute([$search]);
    $data = $stmt->fetchAll();
    

    And it works for me, very simple. Like he says , you have to "prepare our complete literal first" before sending it to the query

    0 讨论(0)
  • 2020-11-22 05:02

    You can also try this one. I face similar problem but got result after research.

    $query = $pdo_connection->prepare('SELECT * FROM table WHERE column LIKE :search');
    
    $stmt= $pdo_connection->prepare($query);
    
    $stmt->execute(array(':search' => '%'.$search_term.'%'));
    
    $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
    
    print_r($result);
    
    0 讨论(0)
  • 2020-11-22 05:06

    Figured it out right after I posted:

    $query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
    $query->execute(array('value%'));
    
    while ($results = $query->fetch())
    {
        echo $results['column'];
    }
    
    0 讨论(0)
  • 2020-11-22 05:08

    For those using named parameters, here's how to use LIKE with % partial matching for MySQL databases:

    WHERE column_name LIKE CONCAT('%', :dangerousstring, '%')

    where the named parameter is :dangerousstring.

    In other words, use explicitly unescaped % signs in your own query that are separated and definitely not the user input.

    Edit: Concatenation syntax for Oracle databases uses the concatenation operator: ||, so it'll simply become:

    WHERE column_name LIKE '%' || :dangerousstring || '%'

    However there are caveats as @bobince mentions here that:

    The difficulty comes when you want to allow a literal % or _ character in the search string, without having it act as a wildcard.

    So that's something else to watch out for when combining like and parameterization.

    0 讨论(0)
  • 2020-11-22 05:16

    PDO escapes "%" (May lead to sql injection): The use of the previous code will give the desire results when looking to match partial strings BUT if a visitor types the character "%" you will still get results even if you don't have anything stored in the data base (it may lead sql injections)

    I've tried a lot of variation all with the same result PDO is escaping "%" leading unwanted/unexcited search results.

    I though it was worth sharing if anyone has found a word around it please share it

    0 讨论(0)
  • 2020-11-22 05:17
    $query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
    $query->bindValue(1, "%$value%", PDO::PARAM_STR);
    $query->execute();
    
    if (!$query->rowCount() == 0) 
    {
        while ($results = $query->fetch()) 
        {
            echo $results['column'] . "<br />\n";
        }       
    } 
    else 
    {
        echo 'Nothing found';
    }
    
    0 讨论(0)
提交回复
热议问题