1

After reviewing this SO, I am having some trouble using prepared statements.

I have added the following to my db connection:

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

And here are my query statements:

$query = "SELECT schedules.schedule_name, users.name, schedules.schedule_id
    FROM schedules
    INNER JOIN users
    ON schedules.admin_id=users.user_id
    WHERE schedules.schedule_name
    LIKE '%:search%'
    ORDER BY schedules.schedule_name";
    $stmt   = $db->prepare($query);
    $result = $stmt->execute(array('search' => $search_string));
    $search_results = $stmt->fetchAll();

As you can see in the LIKE, I am trying to replace :search when the query is executed but it does not seem to be replaced.

Community
  • 1
  • 1
Shane
  • 972
  • 2
  • 12
  • 27

1 Answers1

0

When you do a parameterized query, it is not simply a string replace, and you don't surround it with singlequotes:

$query = "SELECT schedules.schedule_name, users.name, schedules.schedule_id
    FROM schedules
    INNER JOIN users
    ON schedules.admin_id=users.user_id
    WHERE schedules.schedule_name
    LIKE :search
    ORDER BY schedules.schedule_name";

But you want to have % wildcards around the term right? Add them when you inject it:

$result = $stmt->execute(array('search' => '%' . $search_string . '%' ));
Digital Chris
  • 6,177
  • 1
  • 20
  • 29