This question already has answers here:
pdo prepared statements with wildcards
(2 answers)
How to bind LIKE values using the PDO extension?
(7 answers)
How do I create a PDO parameterized query with a LIKE statement?
(9 answers)
PHP PDO & SQL Search wildcard bind parameters
(1 answer)
Using named parameters with PDO for LIKE
(1 answer)
Closed 4 years ago.
I've been trying to replace the value in '%:value%' when I use the LIKE operator in my query.
I have also tried using CONCAT() but that didnt work either.
$query = "SELECT *
FROM books
WHERE title LIKE '%:title%'";
...
...
statement->bindValue(':title', $title, PDO::PARAM_STR);
:title should be replaced with the variable $title but it doesnt. The query is working fine but the :title just doesnt get replaced.
You probably want :
$query = "SELECT *
FROM books
WHERE title LIKE CONCAT( '%', :title, '%')";
...
...
statement->bindValue(':title', $title, PDO::PARAM_STR);
The bind parameter should be used as a litteral string. CONCAT can be used to concatenate the parameter with percent signs on both ends.
Did you try using concat() like this?
SELECT *
FROM books
WHERE title LIKE CONCAT('%', :title, '%')
Related
This question already has answers here:
How do I create a PDO parameterized query with a LIKE statement?
(9 answers)
Closed 1 year ago.
I have the following statement set up. I have replaces a long list of columns with * to make this more readable. FYI - I already know that there are questions similar to this. They use SINGLE select statements with a SINGLE parameter. Somehow this is different.
$sql = <<<EOM
SELECT *
FROM table1
WHERE StreetName like '%:StreetName_Coml%'
UNION
SELECT *
FROM table2
WHERE StreetName like '%:StreetName_Coms%'
UNION
SELECT *
FROM table3
WHERE StreetName like '%:StreetName_Farm%'
UNION
SELECT *
FROM table4
WHERE StreetName like '%:StreetName_Land%';
EOM;
$p = $db->prepare($sql);
$StreetName = 'tree'
$p->bindValue(':StreetName_Coml', $StreetName);
$p->bindValue(':StreetName_Coms', $StreetName);
$p->bindValue(':StreetName_Farm', $StreetName);
$p->bindValue(':StreetName_Land', $StreetName);
$p->execute();
$data = $p->fetchAll(PDO::FETCH_ASSOC);
The query runs, with no PHP errors. But I am getting no results back. I should be getting back 100's of rows. When I run the same query in my database browser I get 100's of rows. There is something in how the parameters are being bound that is not working.
I have tried the following:
bindParam instead of bindValue
moving the '%' from the SQL statement and into $StreetName. So instead of 'tree' it is '%tree%'
using a CONCAT statement like "WHERE StreetName like CONCAT('%',:StreetName_Land,'%')
and various mix and matching of the above.
What am I missing?
Put the percent signs in the bind, so your SQL is like this, unqouted:
WHERE StreetName like :StreetName
And then your binds are like this:
$p->bindValue(':StreetName', '%' . $StreetName . '%');
This question already has answers here:
How do I set ORDER BY params using prepared PDO statement?
(7 answers)
Closed 5 years ago.
I am using different values in ORDER BY clause of SQL queries based upon user selection. How do I escape this selected value using mysqli_real_escape_string() function?
For example, the url is as following:
localhost/person/person_listing.php?sort_by=date_of_birth
Based on this I am using:
if (isset($_GET['sort_by'])) {
$sort_by = trim($_GET['sort_by']);
if (!empty($sort_by)) {
$order_by_sql = " ORDER BY $sort_by";
}
}
The question is, what is the best way to escape this type of add-on to SQL? Can the entire ORDER BY clause be escaped at once, or each value has to be escaped individually?
The best way to do this would be to use a prepared statement. Your code would look kind of as follows: (grabbed from here.
Basically, you add a question mark wherever you have a variable you would want to pass. And then you pass it with the mysqli_stmt_bind_param function. ss here means that you want to pass 2 strings.
if ($stmt = mysqli_prepare($link, "SELECT * FROM users WHERE Name=? ORDER BY ?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "ss", $name, $sort_by);
}
This question already has answers here:
How can I with mysqli make a query with LIKE and get all results?
(2 answers)
Closed 5 years ago.
I created code for select query for MySQL in PHP.
The code:
$vericek4 = $baglanti2 -> prepare ("select no from urunlist where urunad like '%?%'");
$vericek4 -> bindParam(1, $aramayss);
$vericek4 -> execute();
$satirsay2 = $vericek4 -> rowCount();
I have data in $aramayss. But $satirsay2 is null.
It "works". It just doesn't do what you expect. The ? is in a string, so it is not substituted with the parameter value.
You can construct the like pattern using concat():
select no from urunlist where urunad like concat('%', ?, '%')
Alternatively, add the wildcards in PHP, and just use:
select no from urunlist where urunad like ?
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Using LIKE in bindParam for a MySQL PDO Query [duplicate]
(2 answers)
Closed 7 years ago.
I'm trying to get PDO to return the results of a wildcard search. My code is:
$search = "%Notes%";
$result = $db->prepare("SELECT * FROM books WHERE 'name' LIKE :search");
$result->bindParam(':search', $search);
$result->execute();
while($arr = $result->fetch(PDO::FETCH_ASSOC)){
echo $arr['name'];
}
At the moment, I get a blank screen. If I run the sequel through PHPMyAdmin:
SELECT * FROM books WHERE name LIKE '%Notes%'
I get the appropriate result.
I assume it's something to do with the way I am formatting my PDO statement, I know you can't have a dynamic column name but I don't see what is going wrong?
in your query you have 'name' change that to just backticks instead of quotes
aka
$result = $db->prepare("SELECT * FROM `books` WHERE `name` LIKE :search");
you can also just remove the backticks
This question already has answers here:
How to bind LIKE values using the PDO extension?
(7 answers)
Closed 7 years ago.
I'm trying to get a PDO query running, so I'm doing:
$src = $this->conn->prepare("SELECT name, model, software FROM product WHERE
model LIKE '%:search_string%' OR
name LIKE '%:search_string%' OR
software LIKE '%:search_string%'");
$src->bindParam(':search_string', $search_string);
$src->execute();
return $src->fetchAll();
But when I var_dump this, I always get an empty array ( [] ). However, if I change it to just "SELECT name, model, software FROM product", I get all of the products, just as expected, so how am I using the LIKE clause wrong? Or am I doing this completely wrong?
Bound parameters cannot be used in this way. You have to input it as LIKE :search_string in the prepared query, then add the percent signs in the bound value (i.e. $src->bindParam(':search_string', '%' . $search_string . '%');).
See also this comment on PDOStatement::bindParam.