When escaping like queries in PHP PDO mysql you will need to do something like this.
$params['free'] = db_q::$dbh->quote("%".$params['free']."%", PDO::PARAM_STR );
Which means you escape everything - including '% ... %'. If you don't do this you may suffer SQL injection. The same off cause goes when using prepared statements.
With the deprecated mysql_real_escape_string
you would do it like this:
$params['free'] = mysql_real_escape_string($params['free']);
And then after place it inside '%' . $params['free'] . '%'
the query.
This page has been requested 5185 times