开发者

How to add a % right before and after a function returned value in MYSQL query

问答 作者:

I want to make our search module be able to search keywords like *lex. Using * to substitute the letters before that. I found the % I add into my query doesn't work and returns error. Please help me to have a look at my code. thanks

if(substr($searchfirst_name, 0, 1) == '*'){
  $subquery .= " AND first_name LIKE %".Formatter::s开发者_运维问答ql($searchfirst_name);
}elseif(substr($searchfirst_name, -1, 1) == '*'){
  $subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name)."%";
}else{
  $subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name);
}

I think the problem is because of the function Formatter::sql(). It filter the variable and add slash to it. How do I modify or create a new function to do this?

public static function sql($value, $fieldName = false) {
if($fieldName) {
  return '`' . $value . '`';
}
else if( is_string($value) ) {
  return '\'' . addslashes($value) . '\'';
}
else if($value === null) {
  return 'NULL';
}
else if($value === true) {
  return 1;
}
else if($value === false) {
  return 0;
}
else if( is_numeric($value) ) {
  return $value;
}
else {
  return '\'' . addslashes($value) . '\'';
}

}

You have to use quotes I think:
LIKE '%...' or LIKE '...%'

EDITED:
Well, the error is clear now:
query run using formatter is like .... LIKE %'....' which is completely wrong.
When you use LIKE clause don't use formatter, but use $searchfirst_name directly!!

Try this

if(substr($searchfirst_name, 0, 1) == '*'){
  $subquery .= " AND first_name LIKE '%".Formatter::sql($searchfirst_name)."'";
}elseif(substr($searchfirst_name, -1, 1) == '*'){
  $subquery .= " AND first_name LIKE '".Formatter::sql($searchfirst_name)."%'";
}else{
  $subquery .= " AND first_name LIKE '".Formatter::sql($searchfirst_name)."'";
}

The first two look ok, but your third else cannot be LIKE. See below.

if(substr($searchfirst_name, 0, 1) == '*'){
  $subquery .= " AND first_name LIKE %".Formatter::sql($searchfirst_name);
}elseif(substr($searchfirst_name, -1, 1) == '*'){
  $subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name)."%";
}else{
  $subquery .= " AND first_name = ".Formatter::sql($searchfirst_name);
}

You had an % outside of string quotes and you probably need to get rid of * characters too

So instead of whole if contruct: 

$subquery .= " AND first_name LIKE ".str_replace('*','%',Formatter::sql($searchfirst_name));

but beware this gives the functionality to substitute * everywhere in the string

Just do:

if(substr($searchfirst_name, 0, 1) == '*'){
  $subquery .= " AND first_name LIKE ".Formatter::sql('%'.$searchfirst_name);
}elseif(substr($searchfirst_name, -1, 1) == '*'){
  $subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name.'%');
}else{
  $subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name);
}

This will work because the escape functionality in Formatter::sql won't affect teh '%'

In your sql function, replace addslashes with the database provided escape function, e.g., mysql_real_escape_string. Always use the database mechanism for escaping strings (or better yet, use parameterized queries with PDO).

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9