-1

I have a SQL query:

SELECT id, title, file_name, file_path 
FROM Image 
WHERE title LIKE :search

The pdo sql request is prepared like this:

//$search is "karen"
$param = "%$search%":
$stmt = $db->prepare($query);
$executed = $stmt->execute(array(':search' => $param));
if(!$executed){
  $error['error'] = $stmt->errorInfo();
  echo json_encode($error);
  exit();
}

My question is, will %karen% be interpreted as sql (where %karen% means 0 or more characters before the karen and 0 or more characters after the karen) or will this be literally interpreted as me searching for a title that has %karen%?

Gurwinder Singh
  • 38,557
  • 6
  • 51
  • 76
14wml
  • 4,048
  • 11
  • 49
  • 97

1 Answers1

0

You can use concat to append % and pass the parameter directly:

SELECT id, title, file_name, file_path 
FROM Image 
WHERE title LIKE concat('%', :search, '%')
Gurwinder Singh
  • 38,557
  • 6
  • 51
  • 76
  • is `concat` smtg understood by sql? Also since I'm putting this into an array in php can I do `'SELECT id, title, file_name, file_path FROM Image WHERE title LIKE concat('%', :search, '%')'` or do I have to use `''` (double quotes) (ie `"SELECT id, title, file_name, file_path FROM Image WHERE title LIKE concat('%', :search, '%')"`)? – 14wml Mar 27 '17 at 20:19
  • 1
    This doesn't answer the question. – shmosel Mar 27 '17 at 20:20
  • @15ongm - concat is a MySQL function. About the single or double quotes, I am not an expert in php. Perhaps someone else will answer your question. – Gurwinder Singh Mar 27 '17 at 20:21
  • @GurV actually I figure out my own question, but thanks for answering my question! This works! – 14wml Mar 27 '17 at 20:24