Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using named parameters with PDO for LIKE

Tags:

I am trying to search the name field in my database using LIKE. If I craft the SQL 'by hand` like this:

$query = "SELECT * \n"         . "FROM `help_article` \n"         . "WHERE `name` LIKE '%how%'\n"         . ""; $sql = $db->prepare($query); $sql->setFetchMode(PDO::FETCH_ASSOC); $sql->execute();

Then it will return relevant results for 'how'.
However, when I turn it into a prepared statement:

$query = "SELECT * \n"         . "FROM `help_article` \n"         . "WHERE `name` LIKE '%:term%'\n"         . ""; $sql->execute(array(":term" => $_GET["search"])); $sql->setFetchMode(PDO::FETCH_ASSOC); $sql->execute();

I am always getting zero results.

What am I doing wrong? I am using prepared statements in other places in my code and they work fine.

like image 299
David Renolds Avatar asked Aug 31 '11 03:08

David Renolds

People also ask

What is PDO parameter binding?

Parameter binding is essential for protecting your web application from SQL-injection. Pretty much all data which is going to be used in SQL statement needs binding. Binding simply saying is just a way to tell engine that a particular piece of data is a string, number, character and so on.

What does the Prepare method of a PDO object return when called successfully?

Return Values ¶ If the database server successfully prepares the statement, PDO::prepare() returns a PDOStatement object. If the database server cannot successfully prepare the statement, PDO::prepare() returns false or emits PDOException (depending on error handling).

What is PDO :: PARAM_STR in PHP?

PDO::PARAM_STR. Represents SQL character data types. For an INOUT parameter, use the bitwise OR operator to append PDO::PARAM_INPUT_OUTPUT to the type of data being bound. Set the fourth parameter, length , to the maximum expected length of the output value.

How does PDO prepared statements work?

In layman's terms, PDO prepared statements work like this: Prepare an SQL query with empty values as placeholders with either a question mark or a variable name with a colon preceding it for each value. Bind values or variables to the placeholders. Execute query simultaneously.

1 Answers

The bound :placeholders are not to be enclosed in single quotes. That way they won't get interpreted, but treated as raw strings.

When you want to use one as LIKE pattern, then pass the % together with the value:

$query = "SELECT *            FROM `help_article`            WHERE `name` LIKE :term ";  $sql->execute(array(":term" => "%" . $_GET["search"] . "%"));

Oh, and actually you need to clean the input string here first (addcslashes). If the user supplies any extraneous % chars within the parameter, then they become part of the LIKE match pattern. Remember that the whole of the :term parameter is passed as string value, and all %s within that string become placeholders for the LIKE clause.

like image 199
mario Avatar answered Sep 23 '22 13:09

mario
Sign in to Comment

Related questions

How to access Gnuplot's (auto)range values and modify them to add some margin?
Proper way to use versions and milestones
How to list local commits difference in git
Idiomatic use of parentheses in Ruby
add method to loaded class/module in python
Array intersection in Bash [duplicate]
Pinging an IP address using PHP and echoing the result
How to generate MD5 hash code for my WinRT app using C#?
Why doesn't this a:visited css style work?
Multi-dimensional array transposing
Scala equivalent to Python returning multiple items
How do dollar and number sign together work in perl?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!