Using "Like" Wildcard in Prepared Statement

Using like wildcard in prepared statement

You need to set it in the value itself, not in the prepared statement SQL string.

So, this should do for a prefix-match:

notes = notes
    .replace("!", "!!")
    .replace("%", "!%")
    .replace("_", "!_")
    .replace("[", "![");
PreparedStatement pstmt = con.prepareStatement(
        "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");
pstmt.setString(1, notes + "%");

or a suffix-match:

pstmt.setString(1, "%" + notes);

or a global match:

pstmt.setString(1, "%" + notes + "%");

Running PreparedStatement with Like clause with wildcard

SQL Server accepts wild characters in the LIKE clause within the single quotation marks, like this ''.

A sample SQL query:

SELECT NAME FROM VERSIONS WHERE NAME LIKE 'Upd%'

The query above will yield you results on SQL Server. Applying the same logic to your Java code will retrieve results from your PreparedStatement as well.

PreparedStatement stmt = conn.prepareStatement("SELECT NAME FROM VERSIONS WHERE NAME LIKE ?");
stmt.setString(1, "Upd%");

I've tested this code on SQL Server 2012 and it works for me. You need to ensure that there are no trailing spaces in the search literal that you pass on to your JDBC code.

Though as a side note, you need to understand that a wildcard % used in the beginning, enforces a full table scan on the table which can deteriorate your query performance. A good article for your future reference.

Hope this helps!

Implement LIKE in PHP prepared Statements with % wildcards

I want to thank everyone for their help with this. ArtisticPhoenix got me headed in the right direction.

This post hit the mark of what I was looking for to bring it all together:

Adding a wildcard character to a string in PHP

Here's the "slightly" updated code:

    $search = $_POST['search'].'%';

    //echo($search);

    $stmt = $link->prepare("SELECT lname, fname FROM planner WHERE lname LIKE ?");
    $stmt->bind_param('s', $search);
    $stmt->execute();
    $result = $stmt->get_result();

    if ($result->num_rows > 0) {
    echo "<table><tr><th>Last Name</th><th>First Name</th></tr>";
    while($row = $result->fetch_assoc()) {
        echo "<tr><td>".$row["lname"]."</td><td>".$row["fname"]."</td></tr>";
    }
    echo "</table>";
} else {
    echo "0 results";
}

Using like statement with $wpdb- prepare showing hashes where wildcard characters are

Don't worry about the hashes, they'll get replaced with % in $wpdb when you execute your query.

These hashes were introduced with WP v4.8.3 as a fix for SQL injection attack.

They're placeholders for the % character. It prevents someone from using something other than %s, %d, and %f. If there's a % other than those approved uses, it'll replace the % with a hash. That hash will get replaced back to % when $wpdb executes the query.

If you want to remove the hashes yourself, you can use remove_placeholder_escape(), like so:

$query['conditions'][] = $wpdb->remove_placeholder_escape($wpdb->prepare($condition, $name));

Using wildcards in prepared statement - MySQLi

You have to pass parameters to bind_param() by reference, which means you have to pass a single variable (not a concatenated string). There's no reason you can't construct such a variable specifically to pass in, though:

$className = '%' . $this->className . '%';
$query->bind_param('s', $className);

how to implement like operator in prepared statement?

Use 

ps.setString(1, "%" + o.getOrgan() + "%");

Note the absence of quotes.

How to use SQL Wildcard in PreparedStatement with variable

Instead of using the concat operator you could use

like upper('%' || ? || '%')

slightly more readable.

Prepared statement LIKE wildcard

searchcolumn cannot be a bind variable. You can't bind table/column names

$sql = sprintf("SELECT * FROM `book` WHERE teacher_id = ? AND `%s` LIKE ?", $searchColumn);
$searchTerm = "%{$searchTerm}%";

$stmt = $link->stmt_init();
$stmt->prepare($sql);
$stmt->bind_param('is', $teacherid, $searchTerm);

It would also be a good idea to whitelist $searchColumn, validating that it really is a column in your book table before executing this

EDIT

And why bother using fetch_array(MYSQLI_BOTH) when you're only using associative values from the array? Using fetch_assoc() would be better, or you could be even cleverer, and use fetch_object(), and then you wouldn't need to populate your Book object property by property

Consider:

while ($book = $result->fetch_object('Book')) {
    array_push($books, $book);
}

Related Topics

What Is the "Owning Side" in an Orm Mapping

How to Get the SQL of a Preparedstatement

What Are Runtime.Getruntime().Totalmemory() and Freememory()

Regex to Match Only Commas Not in Parentheses

What Is the Best Approach for Using an Enum as a Singleton in Java

Using Sleep() for a Single Thread

Getting Request Payload from Post Request in Java Servlet

Cannot Make a Static Reference to the Non-Static Field

Very Confused by Java 8 Comparator Type Inference

By Default, Jsf Generates Unusable Ids, Which Are Incompatible with the CSS Part of Web Standards

Java Executors: How to Be Notified, Without Blocking, When a Task Completes

What Are Generics in Java

When Is the @JSONproperty Property Used and What Is It Used For

Java Random Always Returns the Same Number When I Set the Seed

Returning Null as an Int Permitted with Ternary Operator But Not If Statement

How to Change UI Depending on Combo Box Selection

Determining If an Object Is of Primitive Type

Keylistener Not Working for JPAnel


Leave a reply



Submit