I'm testing a small search feature:
But I've come across an error that I cannot seem to solve. You can see the PDO query here:
$search = "test1"; //later to be changes to $_POST ['search'];
$sql = "SELECT id, name FROM clients WHEE name like %:name% order by id LIMIT 5";
$stm = $db->prepare ( $sql );
$stm->bindParam ( ":name" , $search);
$result = $stm->execute ();
As you can see, I'm trying to bind the parameter %:name% from my query, but I don't know if that's actually possible?
I receive the error:
Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:.....
And I can see in the error that '' has been put around test1 %'test1'%
Is what I'm trying possible, or do I need to do something like this?
$query = "SELECT id, name FROM clients WHEE name like :name order by id LIMIT 5";
$sql->execute(array(":name" => "%" .$search . "%"));
Use
LIKE CONCAT('%', :name, '%')
Related
I'm using PHP to query oracle DB and everything works great unless i try to use oci_bind_by_name to replace a variable
$link = oci_connect("user","password","server/service");
$sql = "SELECT name FROM customers WHERE name LIKE '%:name%'";
$query= oci_parse($link, $sql);
$name = "Bruno";
oci_bind_by_name($query, ":name", $name);
$execute = oci_execute($query);
I also tried to escape the quotes like this, but it returns the same error, i assume it's a problem with the wildcards %
$sql = "SELECT name FROM customers WHERE name LIKE \"%:name%\" ";
The error is not specific:
( ! ) Warning: oci_bind_by_name(): in D:\gdrive\www\sites\pulseiras\php\engine.php on line 30
I'd like to use bind by name to avoid sql injection, how can i make it work ?
OCI is inserting the bound variable to your query and ending up with something like this:
SELECT name FROM customers WHERE name LIKE '%'Bruno'%'
Obviously a couple of unnecessary quotes have been added. This happens because a bound variable is treated as a single item.
You need to modify the variable before you bind, so:
$sql = "SELECT name FROM customers WHERE name LIKE :name"; // chars removed.
$query= oci_parse($link, $sql);
$name = "%Bruno%"; // chars added.
oci_bind_by_name($query, ":name", $name);
As usual, the PHP manual has many useful examples.
It's amazing how the brain only seems to start working after posting the question on stackoverflow. It turns out the solution is to isolate the wildcards and concatenating with the variable:
$sql = "SELECT name FROM customers WHERE name LIKE '%' || :name || '%' ";
$name = "Bruno";
oci_bind_by_name($query, ":name", $name);
$execute = oci_execute($query);
This does not work
$sql = 'SELECT * FROM `users` WHERE username LIKE \'%{?}%\' ';
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in /home/rgero/public_html/php/searchadmins.php on line 1
This one doesn't work either
$sql = 'SELECT * FROM `users` WHERE username LIKE %{?}% ';
Fatal error: Wrong SQL: SELECT * FROM users WHERE username LIKE %{?}% Error: 0 in /home/rgero/public_html/php/searchadmins.php on line 1
How would I go about this? I'm trying to make a search for players function that updates the results as you're typing in the form, something like how google already shows answers while you're typing. I need for the username Admin , if you type dm, to show it already among other usernames that contain "dm". It should also be case insensitive
Try this
$likeVar = "%" . $yourParam . "%";
$stmt = $mysqli->prepare("SELECT * FROM REGISTRY where name LIKE ?");
$stmt->bind_param("s", $likeVar);
$stmt->execute();
you need to prepare the query using simply ? then you bind the param using bind_param.
I have the following php mysql statment that is working fine:
if (isset($_GET['name'])) {
$data = "%".$_GET['name']."%";
$sql = 'SELECT * FROM tbl_clients WHERE fname like ?';
$stmt = $conn->prepare($sql);
$results = $stmt->execute(array($data));
$rows = $stmt->fetchAll();
$error = $stmt->errorInfo();
}
But i want to add the following so it can check to columns for the name variable:
$sql = 'SELECT * FROM tbl_clients WHERE fname like ? or lname like ?';
If i modify this statement to the above it errors out with the following:
Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens in /var/www/www.test.com/search.php on line 38
It's pretty obvious, you have two ? and only one item in the array you are passing to $stmt->execute
$sql = 'SELECT * FROM tbl_clients WHERE fname like :something or lname like :something';
$data = array(':something'=>'SOME VALUE');
$results = $stmt->execute($data);
In the updated query, you have two parameters, but you're only passing one value to execute. Just fix the latter problem, and it will work:
$results = $stmt->execute(array($data, $data));
I am running problems in implementing LIKE in PDO
I have this query:
$query = "SELECT * FROM tbl WHERE address LIKE '%?%' OR address LIKE '%?%'";
$params = array($var1, $var2);
$stmt = $handle->prepare($query);
$stmt->execute($params);
I checked the $var1 and $var2 they contain both the words I want to search, my PDO is working fine since some of my queries SELECT INSERT they work, it's just that I am not familiar in LIKE here in PDO.
The result is none returned. Do my $query is syntactically correct?
You have to include the % signs in the $params, not in the query:
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
If you'd look at the generated query in your previous code, you'd see something like SELECT * FROM tbl WHERE address LIKE '%"foo"%' OR address LIKE '%"bar"%', because the prepared statement is quoting your values inside of an already quoted string.
Simply use the following:
$query = "SELECT * FROM tbl WHERE address LIKE CONCAT('%', :var1, '%')
OR address LIKE CONCAT('%', :var2, '%')";
$ar_val = array(':var1'=>$var1, ':var2'=>$var2);
if($sqlprep->execute($ar_val)) { ... }
No, you don't need to quote prepare placeholders. Also, include the % marks inside of your variables.
LIKE ?
And in the variable: %string%
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
You can see below example
$title = 'PHP%';
$author = 'Bobi%';
// query
$sql = "SELECT * FROM books WHERE title like ? AND author like ? ";
$q = $conn->prepare($sql);
$q->execute(array($title,$author));
Hope it will work.
I'm trying to write search function, that gets its parameter from the user and uses an SQL statement to get the result from a MySQL database.
The statement:
$title = $_GET['title'];
$result = mysql_query("SELECT name, phone, email from person where name= '$title'");
The problem with this statement is that it's only taking the exact name; if the user is looking for "David" and just types "Da" then no result will be found.
I need a statement that, when the user enters part of the name, displays all matches with "Da".
You can try a wildcard search, which is not optimal, but should work:
$title = mysql_real_escape_string($_GET['title']);
$result = mysql_query("SELECT name, phone, email from person where name like '$title%'");
use the LIKE condition
SELECT name, phone, email
FROM person
WHERE name LIKE '%$title%'
This searches for $title anywhere in name.
Use PDO to prevent SQL Injection attacks. Read it, learn it, code it, live it.
You'll want to use the wildcard character - %
<?php
$dbh = new PDO('mysql:host=xxx;port=xxx;dbname=xxx', $user, $pass );
$sql = "SELECT name, phone, email from person where name LIKE :username";
$sth = $dbh->prepare( $sql );
$sth->bindValue( ':username', '%' . $_GET['title'] . '%', PDO::PARAM_STR );
$sth->execute();
$result = $sth->fetchAll( PDO::FETCH_OBJ );
print_r( $result );
I recommend you read this, it will be useful to you:
http://www.w3schools.com/sql/sql_wildcards.asp