LIKE query using multiple keywords from search field using PDO prepared statement
Prepared statements protect you from sql injection, so sql code in the parameters will not be interpreted. You will have to build a sql query with the correct number of AND itemTitle LIKE ?
before calling prepare().
$keywords = preg_split('/[\s]+/', $keywords);
$totalKeywords = count($keywords);
$query = "SELECT * FROM prodsTable WHERE itemTitle LIKE ?";
for($i=1 ; $i < $totalKeywords; $i++){
$query .= " AND itemTitle LIKE ? ";
}
$sql=$this->db->prepare($query);
foreach($keywords as $key => $keyword){
$sql->bindValue($key+1, '%'.$keyword.'%');
}
$sql->execute ();
How to perform a LIKE query using multiple keywords from search field using mysqli prepared statement
As user3783243 states in the comments above, my placeholders and parameters where not matching. So in order to solve that, I did the following (this will be sloppy as I'm new to PHP but if someone can clean it up for me I'll award the answer to that).
First you have to create a string for the type parameter (mine are all strings so this was easy, you could run a conditional statement if you have different types). Since I use two placeholders for each entry in my SQL, each iteration will include two s
's.
$typeparam='';
foreach($word as $key => $value){
$typeparam.='ss';
}
Then create a new array to put the types and the values all together (again, since there are two placeholders for each parameter, I just add the $word twice to the array):
$bindpars=array();
$bindpars[]=&$typeparam;
foreach($word as $key => $value){
$bindpars[]=&$word[$key];
$bindpars[]=&$word[$key];
}
Finally, bind the parameters using call_user_func_array
:
call_user_func_array(array($stmt,'bind_param'),$bindpars);
So the code in my question now looks like this:
$word=preg_split('/[\s]+/',$terms);
$totalwords=count($word);
$sql="SELECT title,content FROM articles WHERE (title LIKE CONCAT('%',?,'%') OR (content LIKE CONCAT('%',?,'%'))";
for(i=1;$i<$totalwords;$i++){
$sql.=" AND (title LIKE CONCAT('%',?,'%') OR (content LIKE CONCAT('%',?,'%'))";
}
$stmt=$conn->prepare($sql);
$typeparam='';
foreach($word as $key => $value){
$typeparam.='ss';
}
$bindpars=array();
$bindpars[]=&$typeparam;
foreach($word as $key => $value){
$bindpars[]=&$word[$key];
$bindpars[]=&$word[$key];
}
call_user_func_array(array($stmt,'bind_param'),$bindpars);
$stmt->execute;
$stmt->store_result;
PDO Search same keyword in multiple columns
I solved my own problem like this:
$keywordfromform = $_GET["keyword"];
$keyword = "%$keywordfromform%";
$sql = 'SELECT * FROM table
WHERE author LIKE ? OR title ? OR text LIKE ?';
$stmt = $pdo->prepare($sql);
$stmt->execute(array($keyword, $keyword, $keyword));
$entries = $stmt->fetchAll();
Explanation: I think the problem was, that for each ?
I needed to bind a $keyword
. And I did know how to combine them. Then I looked it up on php.net and realised that I may just need to add array()
.
How to make a search form work with multiple fields using PDO prepared statement
You can do it like you did before:
$fields = array('first_name', 'last_name', 'email', 'job', 'country', 'city');
$inputParameters = array();
foreach ($fields as $field) {
// don't forget to validate the fields values from $_POST
if (!empty($_POST[$field])) {
$inputParameters[$field] = '%' . $_POST[$field] . '%';
}
}
$where = implode(' OR ', array_map(function($item) {
return "`$item` LIKE :$item";
}, array_keys($inputParameters)));
$search = $db->prepare("SELECT `id`, `name` FROM `users` WHERE $where");
$search->execute($inputParameters);
foreach ($search->fetchAll(PDO::FETCH_ASSOC) as $row) {
var_dump($row);
}
Using PDO query, without prepared statements, with multiple LIKE statements from multiple HTML input fields
You've forgotten quotes around the $_POST values that you're directly inserting into your queries:
$conditions[] = "$field LIKE CONCAT ('%', '$_POST[$field]', '%')";
^-- ^--
so while this will fix your immediate problem, you'll still be wide open to sql injection attacks.
How do I create a PDO parameterized query with a LIKE statement?
Figured it out right after I posted:
$query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
$query->execute(array('value%'));
while ($results = $query->fetch())
{
echo $results['column'];
}
Related Topics
Simple PHP SQL Login Troubleshooting
Laravel 4: How to "Order By" Using Eloquent Orm
Function to Return Only Alpha-Numeric Characters from String
PHP 5.4 - 'Closure $This Support'
How to Pass Parameters by Reference Using Call_User_Func_Array()
How to Handle Multiple File Upload Using PHP
Passing Data from Controller to View in Laravel
PHP Regex Delimiter, What's the Point
Laravel 5.2 Not Reading Env File
How to Check an Ip Address Is Within a Range of Two Ips in PHP
Php: Settings Memory_Limits > 1024M Does Not Work
Symfony2, Dynamic Db Connection/Early Override of Doctrine Service
MySQL Performance - "In" Clause VS. Equals (=) for a Single Value