LIKE statement and special characters in PDO / PHP

Question

I've already checked answers to questions like this one (How do I create a PDO parameterized query with a LIKE statement in PHP) . I've ended up to this solution:

$sql  = "SELECT count(*) ".
        "FROM mytable ".
        "WHERE num_certif LIKE CONCAT('%',:val,'%')";
$valeur = 'azert';
$stmt = $pdo->prepare($sql);
$stmt->bindValue(':val', $val);

This works, but here is my problem: how do I handle the ' % ' char? (ie $valeur = '%'; returns all the rows)?

Answer 1

你需要转义％字符，

  $valeur = '\%';

Answer 2

Note for PostgreSQL users... instead of the CONCAT function you can use

   SELECT count(*)
   FROM mytable
   WHERE num_certif LIKE '%' || :val || '%'

Answer 3

I achieved that using string comparison functions:

WHERE INSTR(LCASE(num_certif),LCASE(:val))>0

I suspect performance will suffer.

Answer 4

I have been using something very simple, like this:

    $select_str = "SELECT * FROM table_x WHERE text_field LIKE '%".$value."%'";

    $StHandler = $this->dbHandler->prepare($select_str);
    $StHandler->execute();

You can use only one % depending on what you're looking for. For example, if you want it to start with your value and have any characters later, you will use '".$value."%'"

Hope this helps

Answer 5

In order to avoid having to do your own escaping, the stuff that needs to be escaped has to be part of the data that pdo protects, namely the bound arguments. It doesn't protect you from anything in the hard coded query.

$sql  = "SELECT count(*) ".
    "FROM avs_souscript ".
    "WHERE num_certif =\"\" ".
    "AND date_annul=\"\" ".
    "AND user=:sess_user ".
    "AND user!=\"\" ".
    "AND num_certif LIKE :num_certif_search";
$valeur = 'azert'; //I assume this actually came from some user input
$stmt = $pdo->prepare($sql);
$stmt->bindValue(':num_certif_search', '%'.$valeur.'%');

(or alternately you could put them in the $valuer = "%{$userInput}%"; assignment, either way, they should be in the bound argument, not in the sql.

Moving this bit of silly string concat from the sql out to the php is also good practice for making a scalable application. It's much easier to scale a farm of web servers than it is to scale the database server.