0

I am having a problem with the execution of my SQL query. Here is my code snippet...

$db = phpmotorsConnect();
$sqlSearch = "'%" . $searchTxt . "%'";
$sql = "SELECT * FROM inventory WHERE invColor LIKE :sqlSearch OR invMake LIKE :sqlSearch OR invModel LIKE   
:sqlSearch OR invDescription LIKE :sqlSearch OR invPrice LIKE :sqlSearch";
$stmt = $db->prepare($sql);
// THIS LINE: 
$stmt->bindValue(':sqlSearch', $sqlSearch, PDO::PARAM_STR);
$stmt->execute();

The line indicated is NOT replacing the placeholder value with the variable $sqlSearch, like we did on the account and vehicle models. Any ideas why? I've tested out the query and it works as long as there is a good value in there.

I was expecting the placeholder, :sqlSearch, to be replaced with '%%', having the search text in for the string.

Martin
  • 22,212
  • 11
  • 70
  • 132
Eron Whitefield
  • 1
  • 1
  • 1
    You can not concatenate wildcards in the placeholder ; they will always be escaped by the prepared statement system, for intended security purposes. Please see [This Q&A](https://stackoverflow.com/questions/18527659/how-can-i-with-mysqli-make-a-query-with-like-and-get-all-results/) – Martin Dec 09 '22 at 22:18
  • 4
    You should not have the single quotes in the value for sqlSearch – Nigel Ren Dec 09 '22 at 22:22

0 Answers0