ID: 46556 Updated by: [EMAIL PROTECTED] Reported By: taco at procurios dot nl Status: Open Bug Type: PDO related Operating System: linux PHP Version: 5.2.6 -Assigned To: +Assigned To: johannes New Comment:
Maybe something for PDOv2 or mysqli? Previous Comments: ------------------------------------------------------------------------ [2008-11-12 15:56:53] taco at procurios dot nl Description: ------------ There is no good method to escape a string for use in a (mySQL) LIKE clause. In a query like "SELECT `foo` FROM `bar` WHERE `baz` LIKE '%" . $qux . "%'" the value of $qux should be escaped for both the query itself (like PDO::quote() does) as the LIKE clause (i.e. escaping % and _ characters. Using PDO the only way to escape a variable is using either PDOStatement::bindParam() or PDO::quote(). The first is not suitable for two reasons: 1. Not every query is a prepared statement 2. There is no way to escape % and _ (escaping them first will result in the \ being escaped: \% becomes \\%) The latter is not suitable because it will add quotes to the string, so you'll have to get rid of the quotes, escape % and _ and add the result to the query. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46556&edit=1
