Escape string before pdo query

Question

I am running sql query that involve searching the string posted by the user in the db and getting error if the user have quotation mark in the string.

function safe($string) {
            $string = htmlentities(stripslashes(trim($string)));
    $string = trim(trim($string,"'"),'"');
    $string = strip_tags($string);
    return $string;
}

     $searchQ = safe($_REQUEST['q']);
    $searchQ ="%$searchQ%";

    //$pullsib = $pdo->prepare("SELECT * FROM `categories` WHERE `status`='1' AND (`name` LIKE '%".$searchQ."%' OR `description` LIKE '%".$searchQ."%') ORDER BY rand() ASC LIMIT 50");
    $pullsib = $pdo->prepare("SELECT * FROM `categories` WHERE `status`=1 AND (`name` LIKE ? OR `description` LIKE ?) ORDER BY rand() ASC LIMIT 50");

   // $RegTool->bindParam(2, $searchQ, PDO::PARAM_STR);

    $pullsib->bindParam(1, $searchQ, PDO::PARAM_STR);
    $pullsib->bindParam(2, $searchQ, PDO::PARAM_STR);

The error i get is thus if the $searchQ contain quotation mark eg; "who's cat" it will throw error:

Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'fgdhj%%' OR `description` LIKE

the error you are getting is from the query that is commented out. It's impossible to get an error like this from the query that is actually run in your code. — Your Common Sense, Mar 14 '17 at 09:15
using `like clause` https://phpdelusions.net/pdo#like that might help u — Masivuye Cokile, Mar 14 '17 at 09:16

Escape string before pdo query

0 Answers0