PHP PDO escape like query

2014-05-29 15:11 dennis iversen

When escaping like queries in PHP PDO mysql you will need to do something like this.

$params['free'] = db_q::$dbh->quote("%".$params['free']."%", PDO::PARAM_STR );

Which means you escape everything - including '% ... %'. If you don't do this you may suffer SQL injection. The same off cause goes when using prepared statements.

With the deprecated mysql_real_escape_string you would do it like this:

$params['free'] = mysql_real_escape_string($params['free']);

And then after place it inside '%' . $params['free'] . '%' the query.

This page has been requested 4993 times