php 如何使用 LIKE 语句创建 PDO 参数化查询?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/583336/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I create a PDO parameterized query with a LIKE statement?
提问by Andrew G. Johnson
Here's my attempt at it:
这是我的尝试:
$query = $database->prepare('SELECT * FROM table WHERE column LIKE "?%"');
$query->execute(array('value'));
while ($results = $query->fetch())
{
echo $results['column'];
}
回答by Andrew G. Johnson
Figured it out right after I posted:
我发帖后马上想通了:
$query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
$query->execute(array('value%'));
while ($results = $query->fetch())
{
echo $results['column'];
}
回答by Kzqai
For those using named parameters, here's how to use LIKEwith %partial matching for MySQL databases:
对于使用命名参数的,这里是如何使用LIKE与%用于部分匹配的MySQL数据库:
WHERE column_name LIKE CONCAT('%', :dangerousstring, '%')where the named parameter is :dangerousstring.
其中命名参数是:dangerousstring.
In other words, use explicitly unescaped %signs in your own query that are separated and definitely not the user input.
换句话说,%在您自己的查询中使用明确的非转义符号,这些符号是分开的,绝对不是用户输入。
Edit:Concatenation syntax for Oracle databasesuses the concatenation operator: ||, so it'll simply become:
编辑:Oracle 数据库的连接语法使用连接运算符: ||,因此它将简单地变为:
WHERE column_name LIKE '%' || :dangerousstring || '%'
However there are caveats as @bobince mentions herethat:
The difficultycomes when you want to allow a literal
%or_character in the search string, without having it act as a wildcard.
当您希望在搜索字符串中允许使用文字或字符而不将其用作通配符时, 困难就来了。
%_
So that's something else to watch out for when combining like and parameterization.
因此,在组合 like 和参数化时,还有一点需要注意。
回答by Blazer
$query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
$query->bindValue(1, "%$value%", PDO::PARAM_STR);
$query->execute();
if (!$query->rowCount() == 0)
{
while ($results = $query->fetch())
{
echo $results['column'] . "<br />\n";
}
}
else
{
echo 'Nothing found';
}
回答by Vijaysinh Parmar
You can also try this one. I face similar problem but got result after research.
你也可以试试这个。我面临类似的问题,但经过研究得到了结果。
$query = $pdo_connection->prepare('SELECT * FROM table WHERE column LIKE :search');
$stmt= $pdo_connection->prepare($query);
$stmt->execute(array(':search' => '%'.$search_term.'%'));
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
print_r($result);
回答by kjdion84
This works:
这有效:
search `table` where `column` like concat('%', :column, '%')
回答by gavin
I got this from php delusions
我从php 妄想中得到了这个
$search = "%$search%";
$stmt = $pdo->prepare("SELECT * FROM table WHERE name LIKE ?");
$stmt->execute([$search]);
$data = $stmt->fetchAll();
And it works for me, very simple. Like he says , you have to "prepare our complete literal first" before sending it to the query
它对我有用,非常简单。就像他说的那样,在将其发送到查询之前,您必须“首先准备我们完整的文字”
回答by Ozkar R
PDO escapes "%" (May lead to sql injection): The use of the previous code will give the desire results when looking to match partial strings BUTif a visitor types the character "%" you will still get results even if you don't have anything stored in the data base (it may lead sql injections)
PDO 转义“%”(可能会导致 sql 注入):在查找匹配部分字符串时,使用前面的代码将给出所需的结果,但是如果访问者键入字符“%”,即使您不输入,您仍然会得到结果' t 在数据库中存储任何东西(它可能会导致 sql 注入)
I've tried a lot of variation all with the same result PDO is escaping "%" leading unwanted/unexcited search results.
我已经尝试了很多变化,结果都相同 PDO 正在逃避“%”导致不需要/不兴奋的搜索结果。
I though it was worth sharing if anyone has found a word around it please share it
我认为这是值得分享的,如果有人发现有关它的词,请分享
