When escaping like queries in PHP PDO mysql you will need to do something like this.
$params['free'] = db_q::$dbh->quote("%".$params['free']."%", PDO::PARAM_STR );
Which means you escape everything - including '% ... %'. If you don't do this you may suffer SQL injection. The same off cause goes when using prepared statements.
With the deprecated
mysql_real_escape_string you would do it like this:
$params['free'] = mysql_real_escape_string($params['free']);
And then after place it inside '
%' . $params['free'] . '%' the query.
This page has been requested 4681 times