-1

Im a having a problem with this piece of code, im using a form to pass a value to a search engine, what I want to do is to read special character as regular character, becuase if i type %sam% it reads this as part of the 'query', not like a regular string(normal character)

it is possible to 

$search = $_GET['query']; 
$query = "SELECT * FROM mobiles WHERE (`name` LIKE :search) or (`type` LIKE :search)"; 
$query_params = array(':search' => mysql_real_escape_string( $search ));

try
{
  $stmt = $db->prepare($query);
  $result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
  die("Failed to run query: " . $ex->getMessage());
}
Alberto
  • 117
  • 1
  • 1
  • 8
  • "becuase if i type %sam% it reads this as a 'query'" WAT? – PeeHaa Jul 17 '14 at 18:48
  • 2
    Also: why are you trying to use `mysql_real_escape_string`??? – PeeHaa Jul 17 '14 at 18:48
  • So you want to be able to use wildcard search from the form instead of on the query itself? – Prix Jul 17 '14 at 18:49
  • 2
    m_r_e_s() is going to fail unless you connected to mysql via mysql_connect - it will not (and literally can't ever) use the PDO connection to do what it has to. And since you're using placeholders, escaping like that is just going to double-escape the data and prevent matches of text that does normally have sql metachars. – Marc B Jul 17 '14 at 18:50
  • @PeeHaa I just trying to fin a way to read the % simbol as nomar character not a symbol, I hope it makes sense – Alberto Jul 17 '14 at 18:50
  • Maybe the accepted answer of http://stackoverflow.com/questions/3683746/escaping-mysql-wild-cards can be of help – VMai Jul 17 '14 at 18:53
  • possible duplicate of http://stackoverflow.com/questions/24806912/how-can-i-prevent-sql-injection-using-php-with-a-like-query – VMai Jul 17 '14 at 18:54

2 Answers2

0

use quote from your pdo Connection Object

 $db->quote($search ); //Assuming your connection is $db

Though % is special in that, it is legal in a string, so you would probably have to escape it manually.

$search = str_replace("%", "\%", $search),
Cheruvian
  • 5,628
  • 1
  • 24
  • 34
  • 1
    Given that **`$search`** is being supplied as a value for a bind variable to a prepared statement, the value of `$search` is not included in the SQL text. So the call to the `quote` is not only unnecessary, it will also add literal quotes to the value. (It's not illegal to do this, just very odd that we'd include literal quotes in the search, very odd to perform a search equivalent to `LIKE '%''foo''%'` rather than just `LIKE '%foo%'`. (This was selected as the answer by OP, but it's a bad answer because the recommendation to use `quote` is way off base. – spencer7593 Jul 17 '14 at 19:23
0

Some points:

  • mysql_real_escape_string has no use whatsoever here. named parameters relieves you from thinking about that
  • with mysql you can't use the same named placeholder :search, either you make two of em (:search1,:search2) either you set ATTRIBUTE_EMULATE_PREPARES=>TRUE when building PDO
  • When working with LIKE in PDO you must be sure to pass % around the string you submit to the placeholder: array(':search' => '%' . $search . '%');
Félix Adriyel Gagnon-Grenier
  • 8,422
  • 10
  • 52
  • 65