问题
I am trying to sanitize my SQL calls and I am stuck where I am using a LIKE statement. I have tried most answers on SO, but most of them are in PDO or it's very confusing.
This is the original code I have which works.
if(isset($_POST['search']))
{
$valueToSearch = $_POST['valueToSearch'];
$query = "SELECT * FROM `galleries_info`
WHERE CONCAT(`Gallery_Id`,`Gallery_Name`,`Gallery_Type_Id` )
LIKE '%".$valueToSearch."%'";
$search_result = filterTable($query);
}
else {
$search_result = "Search something";
}
// function to connect and execute the query
function filterTable($query)
{
include 'db_connect.php';
$link = mysqli_connect($host, $username,$password ,$db );
$filter_Result = mysqli_query($link, $query);
return $filter_Result;
}
This is how I tried sanitizing. FYI, I bipassed the filterTable function here since I thought stmt fetches the query already.
if(isset($_POST['search']))
{
$valueToSearch = $_POST['valueToSearch'];
/*$query = "SELECT * FROM `galleries_info`
WHERE CONCAT(`Gallery_Id`,`Gallery_Name`,`Gallery_Type_Id` )
LIKE '%".$valueToSearch."%'"; */
$query = "SELECT * FROM `galleries_info`
WHERE CONCAT(`Gallery_Id`,`Gallery_Name`,`Gallery_Type_Id` )
LIKE ?";
$stmt = mysqli_prepare($link, $query);
if($stmt){
$vts = "%.$valueToSearch.%";
mysqli_stmt_bind_param($stmt, "s", $vts);
mysqli_stmt_bind_result($stmt, $dbvts);
mysqli_stmt_execute($stmt);
mysqli_stmt_fetch($stmt);
}else{
echo "no stmt";
}
//$search_result = filterTable($query);
}
else {
$search_result = "Search something";
}
// function to connect and execute the query
function filterTable($query)
{
include 'db_connect.php';
$link = mysqli_connect($host, $username,$password ,$db );
$filter_Result = mysqli_query($link, $query);
return $filter_Result;
}
What am I doing wrong? I'm certain it has got to be with something regarding the %s in the LIKE statement
来源:https://stackoverflow.com/questions/36614469/like-statement-sanitization-sql-php