0

Hi I'm new to PDO and trying to do a search query. Im pretty sure the problem is in the syntax. Would be very cool if y'all could help.

So I'am doing a game commerce web application. I have a search bar to search games by name.


       $stmt = $pdo->prepare('SELECT * FROM JOGO WHERE nome LIKE :name');
              $stmt->execute(array('nome' => $search_input));

$search_input variable is probably not being read and the query is not working.

EDIT: Still not working

Pythus99
  • 3
  • 2
  • Describe what you expected to get and what you actually got. Include error messages. Please see [**How do I ask a good question?**](https://stackoverflow.com/help/how-to-ask) and [**What topics can I ask about here?**](https://stackoverflow.com/help/on-topic). – Alex Howansky Jan 15 '20 at 16:39
  • Also, your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. Instead of building queries with string concatenation, always use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. – Alex Howansky Jan 15 '20 at 16:40
  • Also, you cannot mix mysql APIs, so `mysql_error` won't work if you're using PDO or MySQLi – aynber Jan 15 '20 at 16:47
  • Now that you've changed the post, the syntax looks correct. What is the exact problem you're having? Note that using LIKE without wildcards will just do a case-insensitive exact search. If you want to search for any rows where `nome` contains the search_input, then you need to surround your variable (by modifying or concatenating `$search_input`, not `:name`) with the wildcard character `%` – aynber Jan 15 '20 at 16:53

0 Answers0