我在php中有一个搜索函数,并使用参数化查询创建了它,以确保它的安全
$words = $_POST['words']//words is the form that has the words submitted by the user
$array = explode(',', $words);
$con = mysqli_connect("localhost","user","pass","database");
$stmt = $con->prepare(" SELECT column_name FROM table WHERE column_name LIKE ?")
foreach($array as $key) { //searches each word and displays results
$stmt->bind_param('s', $key)
$stmt->execute();
$result = $stmt->get-result();
while($row = $result->fetch_assoc(){
echo $row["column_name"]
}
}
但是,我希望$stmt语句是
$stmt = $con->prepare(" SELECT column_name FROM table WHERE column_name LIKE '%?%' ")
否则,人们必须键入column_name的全部值才能找到它。
您可以使用CONCAT()
,如下所示:
LIKE CONCAT ('%', ?, '%')
您可以按如下方式执行此操作:
$key="%$key%"
然后绑定$key。
同样的问题也可以参见PHP绑定通配符。。。。