0

I have created a live search system, I am looking to convert the query used to a Parameterized to protect from injection.

Im not having much luck with this, as it uses : '%".$_POST["search"]."%' instead of a regular variable where I would normally replace with :search

this is all I'm trying to convert over to parameterised, keeping the same variable names:

$model_search_query = "SELECT * FROM models WHERE model LIKE '%".$_POST["search"]."%'";
$model_search_query_pass = mysqli_query($cameras, $model_search_query);

Thankyou for any help

Bradley
  • 129
  • 10
  • See this (PDO) info: http://stackoverflow.com/questions/16255657/pdo-prepared-statements-with-wildcards – Paul T. May 21 '17 at 15:11
  • @PaulT. Thankyou, but I need to do it in Mysqli only, I know how to do it in PDO – Bradley May 21 '17 at 15:12
  • Oh, ok, I was going off your :search reference. Here's an example with mysqli: http://stackoverflow.com/questions/26543097/mysqli-bind-parameter-like-with-wildcard – Paul T. May 21 '17 at 15:18

0 Answers0