php mysqli prepared statement using wildcards

Question

I am trying to build this prepared statement:

$sql = "SELECT * FROM entries WHERE";
$sql .= " title LIKE ? OR title LIKE ? OR title LIKE ? OR title LIKE ?";
$sql .= " OR content LIKE ? OR content LIKE ? OR content LIKE ? OR content LIKE ?";

$q = $this->db->prepare($sql);

$one = $this->term;
$two = "%" . $this->term;
$three = $this->term . "%";
$four = "%" . $this->term . "%";

$q->bind_param("ssssssss", $one, $two, $three, $four, $one, $two, $three, $four);
$q->execute();

$this->db is my mysqli connection object

$this->term is a user provided string.

I am not receiving any type of error as from the database. I know the sql statement works, I ran it with a $this->db->query() and it came out fine. When I run it with the prepared statement it comes back with no results. Any suggestions?

Answer 1

To use a wildcard in a prepared statement you need to use CONCAT in your sql statement. The database will take care of concatenating the percent signs onto your search term.

Assuming you want a wildcard at the beginning or end of your search term, your sql should look like:

$sql = "SELECT * FROM entries WHERE title LIKE CONCAT('%', ?, '%') OR content LIKE CONCAT('%', ?, '%')";

Answer 2

I could not get it to work with a prepared statement. I moved to to a mysqli->query() and escaped the user string. Carlos, thanks for the help in fixing my query.