Tell me how to properly organize the search with the operator LIKE
, searched on the site by a text field in the database (php, MySql), through – "... where pole like '% blabla%' ... "
As I understand it is not safe, please advise how best to do it.
It turns out that any value can be passed to the LIKE
operator, since any values from the search string on the site are substituted there.
as an example
mysql_query ("SELECT * FROM songs WHERE songname LIKE '$ searchData%'");
Answer 1, authority 100%
$ query = mysql_real_escape_string ($ searchData);
mysql_query ("SELECT * FROM songs WHERE songname LIKE '$ query%'");
But this extension is deprecated. It is better to use PDO or MySQLi, there are also methods for escaping a string before using it in a query.
http://php.net/manual/en/pdo.quote.php – PDO
http://php.net/manual/en/mysqli. real-escape-string.php – MySQLi