How to bind LIKE values using the PDO extension?

Question

In this query

select wrd from tablename WHERE wrd LIKE '$partial%'

I'm trying to bind the variable '$partial%' with PDO. Not sure how this works with the % at the end.

Would it be

select wrd from tablename WHERE wrd LIKE ':partial%'

where :partial is bound to $partial="somet"

or would it be

select wrd from tablename WHERE wrd LIKE ':partial'

where :partial is bound to $partial="somet%"

or would it be something entirely different?

Answer 1

You could also say:

SELECT wrd FROM tablename WHERE wrd LIKE CONCAT(:partial, '%')

to do the string joining at the MySQL end, not that there's any particular reason to in this case.

Things get a bit more tricky if the partial wrd you are looking for can itself contain a percent or underscore character (since those have special meaning for the LIKE operator) or a backslash (which MySQL uses as another layer of escaping in the LIKE operator — incorrectly, according to the ANSI SQL standard).

Hopefully that doesn't affect you, but if you do need to get that case right, here's the messy solution:

$stmt= $db->prepare("SELECT wrd FROM tablename WHERE wrd LIKE :term ESCAPE '+'");
$escaped= str_replace(array('+', '%', '_'), array('++', '+%', '+_'), $var);
$stmt->bindParam(':term', $escaped);

Answer 2

$var = "partial%";
$stmt = $dbh->prepare("select wrd from tablename WHERE wrd LIKE :partial");
$stmt->bindParam(":partial", $var);
$stmt->execute(); // or $stmt->execute(array(':partial' => $var)); without 
                  // first calling bindParam()
$rs = $stmt->fetchAll();

Using question mark parameters:

$stmt = $dbh->prepare('select wrd from tablename WHERE wrd LIKE ?');
$stmt->execute(array('partial%'));
$rs = $stmt->fetchAll();

http://www.php.net/manual/en/pdo.prepare.php

Answer 3

You can use addcslashes before prepared statement. I tested on mysql.

$value = addcslashes($value, '%');
$stmt = $db->prepare('select * from products where description like ?');
$stmt->execute(["$value%"]);

Answer 4

I think the accepted answer (by @bobince) can be simplified a bit.

You can reduce it to something like this to handle underscore, percentage, etc in the param but still match the LIKE query with partial%:

$stmt = $dbh->prepare("select wrd from tablename WHERE wrd LIKE :partial");
$stmt->execute([":partial" => addcslashes($value, '_%') . "%"]);
$rows = $stmt->fetchAll();

Answer 5

The below code it shows only the first keywords in the database!

"SELECT wrd FROM tablename WHERE wrd LIKE CONCAT(:partial, '%')"

Try this one if you want to search all the keywords from the database

"SELECT wrd FROM tablename WHERE wrd LIKE :partial";
$stmt->execute(array(':partial'=>'%'.$YourVarHere.'%'));

Answer 6

This is how you should do it

bindValue(':partial', '%' . $_GET['partial'] . '%');

Thanks,

Qwerty

Answer 7

Who has written the answare (may be karim79):

$var ="partial%"
$stmt =$dbh->prepare("select wrd from tablename WHERE wrd LIKE :partial")
$stmt->bindParam(":partial",$var)
$stmt->execute(); //or$stmt->execute(array(':partial'=>$var)); without 
                  // first calling bindParam()
$rs =$stmt->fetchAll();

Using question mark parameters:

$stmt =$dbh->prepare('select wrd from tablename WHERE wrd LIKE ?');
$stmt->execute(array('partial%'));
$rs =$stmt->fetchAll();

Many thanks to him. I was searching for the code & saw many examples, but i couldn't resolve my issue. This time I have succeed to do it. I used the 'Using question mark parameters:' section of the code.

For others help, if you want to retrieve the value from a variable you may change the code to

$stmt->execute(array($variable.'%'));

instead of

$stmt->execute(array('partial%'));

Because the word 'partial' is specified in the answer and can't be changed. Thanks a lot.