使用like子句[duplicate]执行准备好的PDO语句

This question already has an answer here:

How do I create a PDO parameterized query with a LIKE statement? 8 answers

I am new to PHP, and am trying to learn to use PDO to connect to a test MySQL db. I have the following:

try {
    $db = new PDO('mysql:dbname=MYDBNAME;host=MYHOST', 'USERNAME', 'PASSWORD');

    $query = "select * from books where ? like '%?%'";
    $stmt = $db->prepare($query);
    $stmt->execute(array($searchtype, $searchterm));  
} catch(PDOException $e) {
    echo 'PDOException: ' . $e->getMessage();
}

When I try it I get the following warning: Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens

When I remove the like clause, and the $searchterm param, it returns the result properly. I thought -- like '%?%' -- might not be a legal way to create this query under double quotes, so I tried escaping ', which did not work. I looked around for a solution, and found that someone moved '% and %' down to where $searchterm is:

$query = "select * from books where ? like ?";
...
$stmt->execute(array($searchtype, '\'%'.$searchterm.'%\''));

I got the same result.
Any help is appreciated. Thanks!

/ UPDATE ****/ I found on example 12 of http://us3.php.net/manual/en/pdo.prepared-statements.php

Example #12 Invalid use of placeholder

<?php
$stmt = $dbh->prepare("SELECT * FROM REGISTRY where name LIKE '%?%'");
$stmt->execute(array($_GET['name']));

// Below is What they suggest is the correct way.
// placeholder must be used in the place of the whole value 
$stmt = $dbh->prepare("SELECT * FROM REGISTRY where name LIKE ?");
$stmt->execute(array("%$_GET[name]%"));
?>

I tried this, and even though I no longer get a Warning, I do not get any results. However when I execute the query directly I will get a couple of results. Any thoughts?

</div>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

3条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dqrdlqpo775594 2010-10-08 18:42
关注
$stmt->execute(array($searchtype, '\'%'.$searchterm.'%\''));

This isn't how parameterised queries work. Inserted parameters act as literal strings already, you don't have to add quote delimiters around them or escape them (that's the whole point), and if you try, you're literally comparing against the string single-quote-searchterm-single-quote.

Consequently if you are (as I suspect) intending to compare a particular column against a literal string, you don't parameterise the column name. At the moment you are comparing a literal string to another literal string, so it'll either always be true or always false regardless of the data in the row!

So I think what you probably mean is:

$query= "SELECT * FROM books WHERE $searchtype LIKE ?"; $like= "%$searchterm%"; $stmt->execute(array($like));

thought naturally you will have to be very careful that $searchtype is known-good to avoid SQL-injection. Typically you would compare it against a list of acceptable column names before using it.

(Aside: there is a way of putting arbitrary strings in a schema name that you can use for a column, but it's annoying, varies across databases and there isn't a standard escaping function for it. In MySQL, you backslash-escape the backquote character, quotes and backslashes and surround the name with backquotes. In ANSI SQL you use double-quotes with doubled-double-quotes inside. In SQL Server you use square brackets. However in reality you vary rarely need to do any of this because really you only ever want to allow a few predefined column names.)

(Another aside: if you want to be able to allow $searchterm values with literal percents, underlines or backslashes in—so users can search for “100%” without matching any string with 100 in—you have to use an explicit escape character, which is a bit tedious:)

$query= "SELECT * FROM books WHERE $searchtype LIKE ? ESCAPE '+'"; $like= str_replace(array('+', '%', '_'), array('++', '+%', '+_'), $searchterm); $stmt->execute(array("%$like%"));
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

使用PHP / PDO进行PostgreSQL UPDATE的RETURNING子句 php postgresql sql
2014-10-17 13:02

回答 2 已采纳 According to PDO's doc: PDO::exec() executes an SQL statement in a single function call, ret
PHP PDO发布字符串列表IN Where子句 mysql php
2016-07-11 01:00

回答 1 已采纳 Your $_POST["idsvar"] is a string, not an array. Use explode to split it to an array at each comma
使用php数组作为Postgres IN子句的参数 php postgresql
2017-12-08 14:59

回答 1 已采纳 Take a look at the Aura.Sql documentation for quote(), here: https://github.com/auraphp/Aura.Sql/
防止 SQL 注入的 PHP PDO 准备语句教程
2022-08-21 13:13

allway2的博客 PDO 的真正优势在于，您在它支持的无数数据库中都使用了几乎相似的 API，因此您无需为每个数据库学习新的 API。不幸的是，在关闭模拟模式的情况下，您不能多次使用相同的命名参数，因此对于本教程来说它是无用的。这...
准备好的PHP SQL语句在没有GROUP BY子句的情况下返回false mysql php sql
2017-08-03 16:07

回答 3 已采纳 The use of aggregation function without group by is depracted and in the most recent version of m
解决方案使用PDO将数组放入IN子句中 mysql php sql
2014-07-29 09:50

回答 1 已采纳 You cannot use :namedParameters and ? placeholders at the same time, as the error says. It's eithe
无法将参数绑定到WHERE子句PDO php postgresql sql
2017-09-17 18:50

回答 1 已采纳 As you can see on this link you the PDO's execute method returns boolean by definition. I would r
防止 SQL 注入的 PHP MySQLi 准备语句教程
2022-08-21 13:01

allway2的博客这可能看起来很奇怪，为什么它甚至会保证自己的部分，因为您实际上可以一个接一个地使用准备好的语句。建议使用准备好的语句，因为它们显然更适合防止 SQL 注入并且不太容易出错，因为您不必担心手动格式化——相反...
在PDO连接中的WHERE子句中使用变量 php
2013-10-21 21:09

回答 2 已采纳 You forget to bindValue() the id: $stmt->bindValue( "id",...); EDIT: I know the Marc B answe
当我们使用Raw SQL时，如何在Laravel中使用like子句？ laravel mysql php
2016-06-30 15:55

回答 1 已采纳 Add the wildcards to your variable, not the query, and don't add the quotes. You're also not passi
什么是PDO PHP中的LIMIT子句？ php
2012-06-20 09:56

回答 1 已采纳 LIMIT is MySql-specific syntax that instructs the server to return only a portion of the full resu
mysql connetor orm_一篇mysql的pdo操作类(阻塞)
2021-02-01 14:54

余虹的眼的博客此代码身经百战, 使用简便。操作类启用了强类型检查, 代码在下方, 注意需要配合另外4个.../***使用PDO扩展实现orm对mysql的数据库操作*Yaf专用*@packageorm*@subpackagemysql*@authorShin.Chou*@since20160811*@vers...
带SQL Server的PHP（请不要使用MySQL） - 在WHERE子句中选择带有LIKE的语句 php sql
2016-03-01 05:12

回答 1 已采纳 You check form input values through $_REQUEST['lname'] and then assign a variable $lname = (string
SQL注入-盲注-时间注入-报错注入-布尔盲注-DNSlog注入-宽字节注入-WAF绕过-SqlMap使用
2019-07-30 17:31

M.François的博客 WAMP是php + mysql + Apache环境集成工具 2.下载Sqli-labs https://github.com/webattacker/sqli-labs 将Sqli-labs解压后整个目录拖拽到路劲:C:\wamp64\www 下 3.在浏览器上访问http://localhost...
mysql update 性能差_msyql性能优化之update
2021-01-19 13:13

第五流羽的博客我们都知道在MySQL中批量insert的速度会比一条条insert快很多，在MySQL中批量更新我们可能使用update,replace into来操作，下面小编来给各位同学详细介绍MySQL批量更新与性能吧。批量更新MySQL更新语句很简单，更新...
没有解决我的问题, 去提问

悬赏问题

¥15 Mac系统vs code使用phpstudy如何配置debug来调试php
¥15 目前主流的音乐软件，像网易云音乐，QQ音乐他们的前端和后台部分是用的什么技术实现的?求解！
¥60 pb数据库修改与连接
¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗？
¥15 拟通过pc下指令到安卓系统，如果追求响应速度，尽可能无延迟，是不是用安卓模拟器会优于实体的安卓手机？如果是，可以快多少毫秒？
¥20 神经网络Sequential name=sequential, built=False
¥16 Qphython 用xlrd读取excel报错
¥15 单片机学习顺序问题！！
¥15 ikuai客户端多拨vpn，重启总是有个别重拨不上
¥20 关于#anlogic#sdram#的问题，如何解决？(关键词-performance)

使用like子句[duplicate]执行准备好的PDO语句

3条回答 默认 最新

悬赏问题

3条回答默认最新