0

I'm aware of Quote and QuoteInto. Neither of which can help me with the following. I need to sanitize the input for the following SQL:

select * from log where message like '%bla%'

QuoteInto and Quote will add quotes that won't work with the % (wildcards). How do I sanitize this input so I end up with a "safe" SQL statement as above?

Improve this question

1 Answer 1

Reset to default
3

Append the % characters directly to your variable, and quote the entire value.
That would look something like this:

 $value = 'bla';
 $db->quoteInto("SELECT * FROM log WHERE message LIKE ?", "%{$value}%");

As compared to this, which gives you the bad results you described:

 $value = 'bla';
 $db->quoteInto("SELECT * FROM log WHERE message LIKE '%?%'", $value);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.