0

I clean post data using mysqli_real_escape_string. Should I also, then, apply addcslashes() to a variable that is used in an SQL LIKE clause?

[I understand that using prepared statements would probably negate this discussion.]

Cœur
  • 37,241
  • 25
  • 195
  • 267
Andy G
  • 19,232
  • 5
  • 47
  • 69
  • 1
    Your comment about prepared statement is a good one. You should switch to those right away. http://stackoverflow.com/questions/1786436/php-pdo-prepared-statement-mysql-like-query – hakre Aug 06 '12 at 13:25
  • possible duplicate of [Escaping MySQL wild cards](http://stackoverflow.com/questions/3683746/escaping-mysql-wild-cards) - but the given `str_replace` based solution does not look right to me. Just noting. – hakre Aug 06 '12 at 13:27

1 Answers1

0

If you cannot use prepared statements (always a good option) - as far as I know it is best to escape the mysql like wildcards aswell:

addcslashes($param, '%_');
madflow
  • 7,718
  • 3
  • 39
  • 54
  • Thanks - just what I was looking for! [People here are very keen on prepared statements. I understand this.. but the constant repetition sometimes distracts from the original question.] – Andy G Aug 06 '12 at 14:03