PHP PDO escape like query

php | pdo

When escaping like queries in PHP PDO mysql you will need to do something like this.

$params['free'] = db_q::$dbh->quote("%".$params['free']."%", PDO::PARAM_STR );

Which means you escape everything - including '% ... %'. If you don't do this you may suffer SQL injection. The same off cause goes when using prepared statements.

With the deprecated mysql_real_escape_string you would do it like this:

$params['free'] = mysql_real_escape_string($params['free']);

And then after place it inside '%' . $params['free'] . '%' the query.

This page has been viewed 4225 times. First hit: 30-Oct-2015 16:56:36
Share email, Google+, Twitter, Facebook.
comments powered by Disqus