如何使用LIKE子句询问准备查询

本文介绍了如何使用LIKE子句询问准备查询的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

请看下面的代码这与mysqli方法工作正常，但很容易sql注入所以我想使用准备但是喜欢我不能使用它

$ t = strtolower（$ _ POST ['e']）;

$ search_exploded = explode（，$ t）;

$ construct ='';

foreach（$ search_exploded as $ search_each）{

$ construct。=AND title LIKE？;

}

$ query = $ conn-> prepare（SELECT * FROM vdo WHERE 1 $ construct）;

$ query-> execute（[％$ search_each％]）;

$ found = $ query-> rowCount（）;

if（$ found == 0）{

echoNO Result Found;

}其他{

while（$ row_id1 = $ query-> fetch（PDO :: FETCH_ASSOC））{

echo $ title = $ row_id1 ['title'];

}

我尝试了什么：

请看下面的代码这与mysqli方法工作正常但很容易sql注入所以我想使用准备但是为了LIKE我不能使用它

解决方案

please see the below code this works fine with mysqli method but prone to sql injection so i want to use prepare but for LIKE i cant use it

$t=strtolower($_POST['e']);
$search_exploded = explode ( " ", $t );
$construct = '';
foreach( $search_exploded as $search_each ) {
$construct .="AND title LIKE ? ";
}

$query=$conn->prepare( "SELECT * FROM vdo WHERE 1 $construct ");
$query->execute(["%$search_each%"]);
$found=$query->rowCount();
if($found == 0){
echo "NO Result Found";

}else{
while($row_id1=$query->fetch(PDO::FETCH_ASSOC)){
echo $title=$row_id1['title'];

}

What I have tried:

please see the below code this works fine with mysqli method but prone to sql injection so i want to use prepare but for LIKE i cant use it

解决方案