PHP Pdo Prepared Statement - MySQL Like Query

implement LIKE query in PDO

You have to include the % signs in the $params, not in the query:

$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);

If you'd look at the generated query in your previous code, you'd see something like SELECT * FROM tbl WHERE address LIKE '%"foo"%' OR address LIKE '%"bar"%', because the prepared statement is quoting your values inside of an already quoted string.

PHP PDO select like query

You can not bind column names in PDO with the PARAM_STR type. Ideally, you should not be binding the columns in your query, but if you really want to do so, use the PARAM_INT data type:

$query = "select * from books where ? LIKE ?";
$result = $db->prepare($query);
$result->bindValue(1, $searchTerm, PDO::PARAM_INT);
$result->bindValue(2, "%$searchValue%", PDO::PARAM_STR);
$result->execute();

LIKE query using multiple keywords from search field using PDO prepared statement

Prepared statements protect you from sql injection, so sql code in the parameters will not be interpreted. You will have to build a sql query with the correct number of AND itemTitle LIKE ? before calling prepare().

  $keywords = preg_split('/[\s]+/', $keywords);
  $totalKeywords = count($keywords);
  $query = "SELECT * FROM prodsTable WHERE itemTitle LIKE ?";

  for($i=1 ; $i < $totalKeywords; $i++){
    $query .= " AND itemTitle LIKE ? ";
  }

  $sql=$this->db->prepare($query);
  foreach($keywords as $key => $keyword){
    $sql->bindValue($key+1, '%'.$keyword.'%');
  }
  $sql->execute ();

How do I create a PDO parameterized query with a LIKE statement?

Figured it out right after I posted:

$query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
$query->execute(array('value%'));

while ($results = $query->fetch())
{
    echo $results['column'];
}

pdo prepared statements with wildcards

It can work with bind param too in following way:

$name = "%$name%";
$query = $dbh->prepare("SELECT * FROM `gc_users` WHERE `name` like :name");
$query->bindParam(':name', $name);
$query->execute();

Using PDO Prepared Statements With MySQL Query Variable

You can't use query parameters to insert expressions to your syntax. Parameters are not just string-interpolation. If they were, there would be no benefit to using them, because you can do string-interpolation easily in PHP already.

The whole point of query parameters is that the value is combined with the query on the server, after the SQL syntax has been parsed, so it's too late for you to insert any new syntax, like an expression.

Query parameters are always treated as a single scalar value. You can't use a parameter for:

• Table identifiers
• Column identifiers
• SQL keywords
• Expressions
• Lists of values

As others have explained, in this case, you have no need to use a query parameter anyway. Using the literal expression log + 1 directly in your query is safe. There's no untrusted content (from users or other sources) being inserted into the query, so there's no risk of SQL injection.

Building multi word LIKE Prepared statement for PDO query

I asked the same question on Sitepoint:
https://www.sitepoint.com/community/t/multi-word-like-prepared-statement-for-pdo-query/223738/5

And got a solution there:

$stmt = $pdo->prepare($sql);
if (!empty($sql_str)) {
    for ($x = 0; $x<$totalKeywords; $x++) {
    // add the percent signs, or make a new copy of the array first if you want to keep the parameters
    $keywords[$x] = "%" . $keywords[$x] . "%";  
    $stmt->bindParam(':search' . $x, $keywords[$x]);
    }
}

---

Related Topics