Ultimately, what I want, is to be able to make a search for which the search-term is the current page's url, with wildcards before and after.

最终，我想要的是能够进行搜索，搜索词是当前页面的 url，前后都带有通配符。

The SQL wildcard character is a percent sign. Therefore:

SQL 通配符是一个百分号。所以：

$variable = curPageURL();
$variable = mysql_real_escape_string($variable);
$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '%{$variable}%'";

Note: I've added in an extra bit of code. mysql_real_escape_string()will protect you from users deliberately or accidentally putting characters that will break your SQL statement. You're better off using parameterised queries, but that's a more involved topic than this simple fix.

注意：我添加了一些额外的代码。mysql_real_escape_string()将保护您免受用户故意或意外放置会破坏您的 SQL 语句的字符。最好使用参数化查询，但这比这个简单的修复更复杂。

Also note: I've fixed your string quoting, too. You can only use a variable in a string directly if that string is double quoted, and you were missing a quote at the end of $query.

另请注意：我也修复了您的字符串引用。如果字符串是双引号，则只能直接在字符串中使用变量，并且在$query.

edit 17 Jan 2015:Just got an upvote, so with that in mind, pleasedon't use the mysql_*functions anymore.

2015 年 1 月 17 日编辑：刚刚得到一个赞成票，所以请记住这一点，请不要再使用这些mysql_*功能。

Use:

用：

$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '{$variable}'" ;

To get an idea of why to prevent SQL injection attacks, like the above would be vulnerable to, I submit "Exploits of a Mom":

为了了解为什么要防止 SQL 注入攻击，就像上面那样容易受到攻击，我提交了“妈妈的漏洞”：

Please don't do this, it is vulnerable to SQL injection (this is a list of 138 StackOverflow questions you should read, absorb and understand prior to returning to your application). Use parametrized queries or stored procedures.

请不要这样做，它很容易受到SQL 注入的攻击（这是一个包含 138 个 StackOverflow 问题的列表，您在返回应用程序之前应该阅读、吸收和理解）。使用参数化查询或存储过程。

Use double quotesif you need to substitute variable values:

如果需要替换变量值，请使用双引号：

## this code is open for SQL injection attacks
$query = "SELECT * FROM `tablename` WHERE `columnname` LIKE '$variable'";

Or concat string manually:

或手动连接字符串：

## this code is open for SQL injection attacks
$query = 'SELECT * FROM `tablename` WHERE `columnname` LIKE "' . $variable . '"';

Your code is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query string. Instead, it must first be sanitized with a function such as mysql_real_escape_string().

您的代码容易受到 SQL 注入攻击。永远不应将用户提供的数据直接放入 SQL 查询字符串中。相反，它必须首先使用诸如mysql_real_escape_string().

As to why you're not being notified of the syntax error: It's fairly likely that your error reporting settings aren't set up correctly.

至于为什么您没有收到语法错误的通知：很可能您的错误报告设置没有正确设置。

Open php.iniand make sure the following is set:

打开php.ini并确保设置了以下内容：

display_errors = On

And:

和：

error_reporting = E_ALL