0

I'm trying to get a parameterized query working with the following code: 

 $stmt = $mysqli->prepare("SELECT formattributes.id as attr_id, forms.title as form_title, formattributes.label as attr_label, formattributes.description as attr_description FROM formattributes
INNER JOIN forms ON forms.id = formattributes.form_id WHERE forms.title  LIKE '%?%'");

$stmt->bind_param('s', $search);
$search = $_GET['search'];

$stmt->execute();
$result = $stmt->get_result();

However after executing the query I've checked my general_log table in my mysql database and the query just didn't change:

SELECT formattributes.id as attr_id, forms.title as form_title, formattributes.label as attr_label, formattributes.description as attr_description FROM formattributes
INNER JOIN forms ON forms.id = formattributes.form_id WHERE forms.title  LIKE '%?%'

EDIT:

Finally got it working with the following code: 

 $param = "%{$_POST['search']}%";
$stmt = $mysqli->prepare("SELECT formattributes.id as attr_id, forms.title as form_title, formattributes.label as attr_label, formattributes.description as attr_description FROM formattributes
INNER JOIN forms ON forms.id = formattributes.form_id WHERE forms.title  LIKE ?");
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();

Thanks everyone for the help!

Improve this question
3
  • As far as I know, the placeholder shouldn't be wrapped with quotes (') Commented Oct 8, 2015 at 12:12
  • You're also binding $search to the statement before initialising it... and you don't really need to initialise/sanitise a new variable when using a bound parameter $stmt->bind_param('s', $_GET['search']) should probably do it (as long as you never pass search[] as a GET var) unless you need something like $search = "%{$_GET['search']}%"; Commented Oct 8, 2015 at 12:22
  • <code> $stmt->bind_param('s', $_GET['search'])</code> did not work. With brackets around it, it did work tho. Commented Oct 8, 2015 at 12:31

2 Answers 2

Reset to default
2

Since you put the placeholder wrapped with ', it's been threaten as a regular string and not as a placeholder.

The right way would be to wrap the variable you're binding with %%:

$stmt = $mysqli->prepare("SELECT formattributes.id as attr_id, forms.title as form_title, formattributes.label as attr_label, formattributes.description as attr_description FROM formattributes
INNER JOIN forms ON forms.id = formattributes.form_id WHERE forms.title  LIKE ?");

$stmt->bind_param('s', $search);
$search = '%'.$_GET['search'].'%';

$stmt->execute();
$result = $stmt->get_result();

Similar questions:

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Still not working incoming prepare statement: SELECT formattributes.id as attr_id, forms.title as form_title, formattributes.label as attr_label, formattributes.description as attr_description FROM formattributes INNER JOIN forms ON forms.id = formattributes.form_id WHERE forms.title LIKE ?
Try to first declare the search variable and its value and afterwards to bind it.
Nevermind it where the brackets around the variable. Look at my edit above! Thank you so much for the help!
Edited accordingly. You're welcome. If my answered helped you, please consider accepting it.
-1

change blow code.

 $stmt->bind_param(':s', $search);

OR

SELECT formattributes.id as attr_id, forms.title as form_title, formattributes.label as attr_label, formattributes.description as attr_description FROM formattributes
INNER JOIN forms ON forms.id = formattributes.form_id WHERE forms.title  LIKE '%:s%'

 $stmt->bind_param(':s', $search);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.