Anyone know how to combine PHP prepared statements with LIKE? i.e.
"SELECT * FROM table WHERE name LIKE %?%";
The % signs need to go in the variable that you assign to the parameter, instead of in the query.
I don't know if you're using mysqli or PDO, but with PDO it would be something like:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE ?");
$st->execute(array('%'.$test_string.'%'));
For mysqli user the following.
$test_string = '%' . $test_string . '%';
$st->bind_param('s', $test_string);
$st->execute();
You can use the concatenation operator of your respective sql database:
# oracle
SELECT * FROM table WHERE name LIKE '%' || :param || '%'
# mysql
SELECT * from table WHERE name LIKE CONCAT('%', :param, '%')
I'm not familar with other databases, but they probably have an equivalent function/operator.
You could try something like this:
"SELECT * FROM table WHERE name LIKE CONCAT(CONCAT('%',?),'%')"
in PHP using MYSQLI you need to define a new parameter which will be declared as:
$stmt = mysqli_prepare($con,"SELECT * FROM table WHERE name LIKE ?");
$newParameter='%'.$query.'%';
mysqli_stmt_bind_param($stmt, "s", $newParameter);
mysqli_stmt_execute($stmt);
this works for me..
For me working great, I've looked for answer hours, thx.
$dbPassword = "pass";
$dbUserName = "dbusr";
$dbServer = "localhost";
$dbName = "mydb";
$connection = new mysqli($dbServer, $dbUserName, $dbPassword, $dbName);
if($connection->connect_errno)
{
exit("Database Connection Failed. Reason: ".$connection->connect_error);
}
$tempFirstName = "reuel";
$sql = "SELECT first_name, last_name, pen_name FROM authors WHERE first_name LIKE CONCAT(CONCAT('%',?),'%')";
//echo $sql;
$stateObj = $connection->prepare($sql);
$stateObj->bind_param("s",$tempFirstName);
$stateObj->execute();
$stateObj->bind_result($first,$last,$pen);
$stateObj->store_result();
if($stateObj->num_rows > 0) {
while($stateObj->fetch()){
echo "$first, $last \"$pen\"";
echo '<br>';
}
}
$stateObj->close();
$connection->close();
I will just adapt Chad Birch's answer for people like me who are used to utilize bindValue(...) for PDO:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE :name");
$st->bindValue(':name','%'.$name.'%',PDO::PARAM_STR);
$st->execute();
In SQL, you can do it like this using prepared statements.
SELECT * FROM TABLE_NAME WHERE (TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%')) OR (ANOTHER_TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%'))
The sprintf can do it. Remember to put another % in front of the original % to escape it.
$ret = sprintf("SELECT * FROM table WHERE name LIKE %%%s%%", $name);
Related
I want to search in two tables but there is no results im getting. this is my code.
$query=mysqli_query($db_connection,"SELECT * FROM db_clients JOIN db_deadreg ON db_clients.clientID=db_deadreg.clientID where fullname like '%$searchq%'");
You could use a concat for buil the proper filter
$query=mysqli_query($db_connection,
"SELECT *
FROM db_clients
JOIN db_deadreg ON db_clients.clientID=db_deadreg.clientID
where fullname like concat('%' , $searchq , '%') ; ");
anyway you should not use php var in SQL you are at risk for sql injection, you should take a look at you sql driver for prepared statements and bindig param
eg:
$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("SELECT *
FROM db_clients
JOIN db_deadreg ON db_clients.clientID=db_deadreg.clientID
where fullname like concat('%' , ? , '%')");
$stmt->bind_param("s", $searchq);
$stmt->execute();
I'm connecting to my database through a PDO and I'm preparing this statement and then binding the parameter:
$stmt = $conn->prepare("SELECT * FROM movies WHERE movie_name LIKE '%:mName%'");
$stmt->bindParam(':mName', $moviename);
It doesn't find anything in the database but if I do it like this, it works:
$stmt = $conn->prepare("SELECT * FROM movies WHERE movie_name LIKE '%". $moviename . "%'");
This is the full code, below:
<?php
function Search_movie(){
$conn = new PDO('mysql:host=localhost;dbname=cinema;charset=utf8', 'root');
$moviename = 'cloud';
$stmt = $conn->prepare("SELECT * FROM movies WHERE movie_name LIKE '%:mName%'");
$stmt->bindParam(':mName', $moviename);
var_dump($stmt);
$stmt->execute();
$data = $stmt->fetch(PDO::FETCH_ASSOC);
print "<br>";
var_dump($data);
}
Search_movie();
?>
Can anybody tell me why it works that way?
The solution would be to not include the % in your query but in your param, as it is part of the search expression and not a "flag" of LIKE :
$stmt = $conn->prepare("SELECT * FROM movies WHERE movie_name LIKE :mName");
$stmt->bindParam(':mName', '%' . $moviename . '%');
Note that you don't have to put the simple-quotes around the parameter, since PDO will be dealing with this on its own.
I am running problems in implementing LIKE in PDO
I have this query:
$query = "SELECT * FROM tbl WHERE address LIKE '%?%' OR address LIKE '%?%'";
$params = array($var1, $var2);
$stmt = $handle->prepare($query);
$stmt->execute($params);
I checked the $var1 and $var2 they contain both the words I want to search, my PDO is working fine since some of my queries SELECT INSERT they work, it's just that I am not familiar in LIKE here in PDO.
The result is none returned. Do my $query is syntactically correct?
You have to include the % signs in the $params, not in the query:
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
If you'd look at the generated query in your previous code, you'd see something like SELECT * FROM tbl WHERE address LIKE '%"foo"%' OR address LIKE '%"bar"%', because the prepared statement is quoting your values inside of an already quoted string.
Simply use the following:
$query = "SELECT * FROM tbl WHERE address LIKE CONCAT('%', :var1, '%')
OR address LIKE CONCAT('%', :var2, '%')";
$ar_val = array(':var1'=>$var1, ':var2'=>$var2);
if($sqlprep->execute($ar_val)) { ... }
No, you don't need to quote prepare placeholders. Also, include the % marks inside of your variables.
LIKE ?
And in the variable: %string%
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
You can see below example
$title = 'PHP%';
$author = 'Bobi%';
// query
$sql = "SELECT * FROM books WHERE title like ? AND author like ? ";
$q = $conn->prepare($sql);
$q->execute(array($title,$author));
Hope it will work.
I have the following query, (which don't work).
How do I bid strings inside an existing string with % (I believe the % is not the problem, but really not sure).
$sql="SELECT * FROM T WHERE f LIKE '%:bindParamString%'";
You can include % symbols into your value:
$param = '%'.$param.'%';
$query = "SELECT * FROM T WHERE f LIKE ?";
Or use SQL to concatenate string in database:
## if you have mysql
$query = "SELECT * FROM T WHERE f LIKE CONCAT('%', ?, '%')";
It also a good idea to use LIKE instead of = then you're searching by patterns.
Try something like this:
$db = new PDO(...);
$sql = "SELECT * FROM T WHERE f=?";
$stmt = $db->prepare($sql);
$val = "%{$val}%";
$stmt->bindParam(1, $val, PDO::PARAM_STR);
For more info, I suggest to read the related doc page!
Anyone know how to combine PHP prepared statements with LIKE? i.e.
"SELECT * FROM table WHERE name LIKE %?%";
The % signs need to go in the variable that you assign to the parameter, instead of in the query.
I don't know if you're using mysqli or PDO, but with PDO it would be something like:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE ?");
$st->execute(array('%'.$test_string.'%'));
For mysqli user the following.
$test_string = '%' . $test_string . '%';
$st->bind_param('s', $test_string);
$st->execute();
You can use the concatenation operator of your respective sql database:
# oracle
SELECT * FROM table WHERE name LIKE '%' || :param || '%'
# mysql
SELECT * from table WHERE name LIKE CONCAT('%', :param, '%')
I'm not familar with other databases, but they probably have an equivalent function/operator.
You could try something like this:
"SELECT * FROM table WHERE name LIKE CONCAT(CONCAT('%',?),'%')"
in PHP using MYSQLI you need to define a new parameter which will be declared as:
$stmt = mysqli_prepare($con,"SELECT * FROM table WHERE name LIKE ?");
$newParameter='%'.$query.'%';
mysqli_stmt_bind_param($stmt, "s", $newParameter);
mysqli_stmt_execute($stmt);
this works for me..
For me working great, I've looked for answer hours, thx.
$dbPassword = "pass";
$dbUserName = "dbusr";
$dbServer = "localhost";
$dbName = "mydb";
$connection = new mysqli($dbServer, $dbUserName, $dbPassword, $dbName);
if($connection->connect_errno)
{
exit("Database Connection Failed. Reason: ".$connection->connect_error);
}
$tempFirstName = "reuel";
$sql = "SELECT first_name, last_name, pen_name FROM authors WHERE first_name LIKE CONCAT(CONCAT('%',?),'%')";
//echo $sql;
$stateObj = $connection->prepare($sql);
$stateObj->bind_param("s",$tempFirstName);
$stateObj->execute();
$stateObj->bind_result($first,$last,$pen);
$stateObj->store_result();
if($stateObj->num_rows > 0) {
while($stateObj->fetch()){
echo "$first, $last \"$pen\"";
echo '<br>';
}
}
$stateObj->close();
$connection->close();
I will just adapt Chad Birch's answer for people like me who are used to utilize bindValue(...) for PDO:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE :name");
$st->bindValue(':name','%'.$name.'%',PDO::PARAM_STR);
$st->execute();
In SQL, you can do it like this using prepared statements.
SELECT * FROM TABLE_NAME WHERE (TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%')) OR (ANOTHER_TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%'))
The sprintf can do it. Remember to put another % in front of the original % to escape it.
$ret = sprintf("SELECT * FROM table WHERE name LIKE %%%s%%", $name);