This question already has answers here:
Combine PHP prepared statments with LIKE
(8 answers)
How do I create a PDO parameterized query with a LIKE statement?
(9 answers)
Closed 1 year ago.
I am creating a bot and the user can enter name of a movie and results should show up by searching inside a SQL table and find the right movies name so I used prepared statements in PDO but I want to when a user type the incomplete name of a movie it shows up so I want it to be case insensitive and also find matches.
I am using mysql dirver.
before this the SQL query was like this
also noting this is a string inside a PHP script
"SELECT * FROM movies WHERE name = :name LIMIT 5"
but then I thought to use the way that I explained to you above and I know it isn't case insensitive.
"SELECT * FROM movies WHERE name LIKE :name" . "'%' LIMIT 5"
but I don't think this will work properly and fine so how should I write this query to work as I explained at the beginning?
Should use different keywords like REGEXP ?
Let me assume that you are using MySQL (based on the regexp reference).
You can then use:
WHERE name LIKE CONCAT(:name, '%')
In other databases you can use the standard string concatenation operator, ||.
Note: This is often handled at the application level, so :name is given the '%' in the application. Then your original code works.
A similar approach would work for a regular expression, but the logic would be:
WHERE name LIKE CONCAT('^', :name)
Related
This question already has answers here:
Mysql or/and precedence?
(4 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
While displaying the filtered data, this sql can filter data as per $locationone and $locationtwo.
But it is failing to filter data as per $cate
I mean its displaying all the rows from both locations and failing to filter it as per science(topic)
$cat= "science";
$cate= preg_replace("#[^0-9a-z]#i","", $cat);
$locationone= "dhk";
$locationtwo= "ctg";
preg_replace("#[^0-9a-z]#i","", $locationone);
preg_replace("#[^0-9a-z]#i","", $locationtwo);
$sql= "SELECT * FROM post INNER JOIN user ON post.user_id= user.id
WHERE post.topic LIKE '%$cate%'
AND post.location LIKE '%$locationone%'
OR post.location LIKE '%$locationtwo%'
order by post_id desc";
Logical operator OR has lower prescedence than AND. So you need to surround the ORed conditions with parentheses:
WHERE
post.topic LIKE '%$cate%'
AND (post.location LIKE '%$locationone%' OR post.location LIKE '%$locationtwo%')
Without the parentheses, your code is equivalent to:
WHERE
(post.topic LIKE '%$cate%' AND post.location LIKE '%$locationone%')
OR post.location LIKE '%$locationtwo%'
Here you can see that this code will allow locations that match on 'locationtwo' whatever the value of topic.
Important note: you do want to use prepared statements and parameterized queries everywhere in your code, for security and efficiency. See this post for how to proceed.
This question already has answers here:
PHP PDO prepared statement -- MySQL LIKE query
(3 answers)
Closed 6 years ago.
As you can see in the title, I have a table that I want to take use of in a website I have.
This is how the MySQL statement looks like now: SELECT * FROM bth_nav WHERE name LIKE (?) OR owner LIKE (?);
On my website I want to either search for name or owner. Right now I can only search for name but not owner. This is why I'm asking for help, I've tried to rewrite the statement but however I do it i can only search for one of them.
Thanks in advance.
The answer will be a little more complicated then you would expect.
I see question marks in your query, this way I can assume you're using prepared statements (which is good!).
Your old statement was using 1 value (for the name), and now you want to use 2.
You have some options for this to work.
The easiest one would be that you bind the value twice, but that's not the nicest way.
A better way would be to name your parameters, like this:
SELECT * FROM bth_nav WHERE name LIKE (:nameOwner) OR owner LIKE (:nameOwner);
Hence that I use the same name for both parameters here. Now you can bind the value to the named parameter with bindValue, and you need do this only once.
I'm having an issue when using bind parameters in my DQL statement.
I've created a JSONB DBAL data type and a FunctionNode called JSON_CONTAINS_ANY() function. The final query that I want is:
SELECT * from Cache where content->'status' ?| ['started','inprogress'];
My DQL statement looks as follow:
$dql = "SELECT e FROM Entity e WHERE JSON_CONTAINS_ANY(content, 'status', :statusList";
$dql->setParameter('statusList',$statusList, Jsonb::JSONB);
Question:
The problem is the the ?| operator gets treated as a parameter expansion index and screws up my queries. Any ideas on how to handle this?
I don't know if my answer will be relevant, I see the question was asked 6 years ago, but, more elegant solution appeared literally 2 years ago, then can someone help. You can read in detail at this link https://wiki.php.net/rfc/pdo_escape_placeholders
from the description I will take out that now ? you can get screened in this way ?? as described in:
That means that the “??” string would be translated to “?” when sending the query to the database, whereas “?” is still going to be interpreted as a positional parameter placeholder.
$stmt = $pdo->prepare('SELECT * FROM tbl WHERE json_col ?? ?');
$stmt->execute(['foo']);
This question already has answers here:
How get post value in pagination
(2 answers)
Closed 8 years ago.
I am working on pagination on search result.I referred below link and I am not able to pass value when search text starts with single quote..
How get post value in pagination.
Can you please help me..
thanks
This is because the single quote is embedded into the literal string $sql. It halts the query, and this is dangerous because a hacker can do what is called SQL Injection -> https://www.acunetix.com/websitesecurity/sql-injection/ .
Anyway, the mysql extension has been deprecated, meaning it is no longer supported and maintained. You have two easy options: mysqli or PDO. I personally recommend using PDO -> http://cz1.php.net/PDO . It will be easy to convert your code.
With PDO you can bind your input to certain fields:
$sql="Select count(*) from FIMTRN_Memorial where FirstName like :search";
$sql = $database->prepare($sql);
$sql->execute(array(":search" => "%".$_SESSION['searchchar']."%"));
$result = $sql->fetchAll(PDO::FETCH_ASSOC);
I hope I could help!
UPDATE:
With the above parameterized query, your search string cannot contain a percentage sign, as this will act as a wild-card character.
UPDATE 2:
I don't know if you noticed that $_GET{'page'} is meant to be $_GET['page'] in the previous answer.
This question already has answers here:
How to select two columns as one?
(2 answers)
Closed 8 years ago.
I want to make a "search engine" with people in php. I have two columns. The first is with first_name and the secon is with last name i use this sql syntax:
SELECT *
FROM users
WHERE first_name OR last_name LIKE '$search_term%'
I wand the sql to search for first name and for last name the same time with out having one column with first_name and last_name together. Please Help !!!!
it should be
SELECT *
FROM users
WHERE first_name LIKE '$search_term%' AND
last_name LIKE '$search_term%'
But the query above performs full table scan because it doesn't use index. For better performance, search about FULL TEXT SEARCH.
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?