这个接近回答我的问题:Protect from injections and right syntax for $_GET method
但是,我的问题是我正在尝试组合通配符搜索%。所以我的原始语句就是这样,它包含在try catch块中。
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno WHERE Store_name LIKE '%".$_GET['term']."%' AND city LIKE '%".$_GET['city']."%'";
$sql .= " AND address_line_1 LIKE '%".$_GET['address']."%'";
但我当然希望这样做。
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno WHERE Store_name LIKE ? AND city LIKE ?;
$sql .= " AND address_line_1 LIKE ? ";
这样的声明 $ stm =('%$ term%','%$ city%','%$ address%');
但是,这不起作用。我已经尝试了双重和单引号的所有变化,我可以想到连接,但没有什么对我有用。我把$ _GET变量放到另一个变量中。
是的,程序中还有其他代码可以进行绑定。最终陈述应该类似于。
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno WHERE Store_name LIKE ? AND city LIKE ?;
$sql .= " AND address_line_1 LIKE ? ";
$stm = ('%$term%','%$city%','%$address%');
sqlStatement($sql,$stm); //This is where the binding takes place in the program
所以我需要知道的是如何在变量中使用通配符。
答案 0 :(得分:2)
如果您正在使用PDO,那么我想做 -
$sql = "SELECT id, Store_name, address_line_1, city, state FROM pharmacies_weno
WHERE Store_name LIKE :store_name
AND city LIKE :city
AND address_line_1 LIKE :address_line_1 ";
// now prepared statement like-
$stmt = $conn->prepare($sql);
$stmt->execute(array(
':store_name'=>'%'.$_GET['store_name'].'%',
':city'=>'%'.$_GET['city'].'%',
':address_line_1'=>'%'.$_GET['address_line_1'].'%'
));
$result=$stmt->fetchAll();
如果您没有使用pdo,那么请查看pdo prepared statement via php.net