like query not working if string has symbol '&'

Question

I have a table name as test. In test table there is column test1. test1 column has string value "abc & def" and i have create a string variable $str = "abc & def". When i'll try to execute like query (select * from test where test1 like '%$str%'). this will give nothing in result. can any one help?

Your variable doesn't get resolved. Post your exact code of how you're trying to execute the statement. — fancyPants, Sep 13 '18 at 13:21
SELECT * FROM `test` WHERE `test1` LIKE '%abc & def%' works. — maio290, Sep 13 '18 at 13:22
no this is not working actually my string is this 'IMR E & T S.r.l.' — Kalpit tandon, Sep 16 '18 at 05:00

score 0 · Answer 1 · edited Sep 19 '18 at 04:02

0

Am assuming you are using core (vanilla) PHP:

Something like below :

$esc_str = $db->quote($str);
// this is for PDO; for MySQLi use $db->escape_string($str) instead
$qry = "select * from test where test1 like '%$esc_str%'"

use the below :

$esc_str = $db->quote($str);
$qry = "select * from test where test1 like '%".$esc_str."%'"

or

$esc_str = $db->quote($str);
`select * from test where test1 like "%$esc_str%"`

this example converts php variable to https://www.virendrachandak.com/techtalk/php-double-quotes-vs-single-quotes/

Hope it helps :)

edited Sep 19 '18 at 04:02

Damian Yerrick

4,602
2
26
64

answered Sep 13 '18 at 13:37

yoganand yoganand

48
4

This is dead open for SQL injection! – Madhur Bhaiya Sep 13 '18 at 13:39
@MadhurBhaiya so what is your suggestion if its core PHP and mysql ? . Obviously $str should be validated first – yoganand yoganand Sep 13 '18 at 13:42
Use Prepared statements (either MySQLi or PDO extensions can be used) – Madhur Bhaiya Sep 13 '18 at 13:44
@MadhurBhaiya - do you mean to say MySQLi is injection proof ? – yoganand yoganand Sep 13 '18 at 13:46
Please read about [why parametrized queries (or, prepared statements) are necessary to prevent SQL injection issues](https://stackoverflow.com/a/60496/2469308). – Madhur Bhaiya Sep 13 '18 at 13:50
not working test with this string 'IMR E & T S.r.l.' – Kalpit tandon Sep 16 '18 at 05:01
I am using active records in php – Kalpit tandon Sep 16 '18 at 05:02
If i am using 'and' instead of '&' in 'IMR E &T S.r.l.' this string then it works fine but i wanna '&' not 'and'. – Kalpit tandon Sep 16 '18 at 05:08
@yoganandyoganand ?? – Kalpit tandon Sep 19 '18 at 05:06

like query not working if string has symbol '&'

1 Answers1