Support » Fixing WordPress » how to use wpdb->prepare and LIKE

  • Resolved ide79

    (@ide79)


    OK I have a problem with getting a query result with $wpdb->prepare LIKE

    <?php
    $var = "benz";
    $results = $wpdb->get_results($wpdb->prepare("select model_car, type_car, engine_car FROM carstable WHERE model_car LIKE %s", $var), ARRAY_A ); ?>

    How can I make the %s (string) to be used with LIKE

Viewing 12 replies - 1 through 12 (of 12 total)
  • vtxyzzy

    (@vtxyzzy)

    I think you want to set $var to ‘%benz%’ or, you may need quotes also, like this: ‘”%benz%”‘.

    ide79

    (@ide79)

    What if i use $_GET[‘var’] from url?

    vtxyzzy

    (@vtxyzzy)

    Use something like this:

    $var = '%' . $_GET['var'] . '%';

    ide79

    (@ide79)

    Thank you very much. I tought that would be the way. Was not sure where to modify the value with get method. Because of the prepare function at the query.

    vtxyzzy

    (@vtxyzzy)

    You are welcome!

    ide79

    (@ide79)

    Have one more question about get method from url. Is this not a very dangerous way to get a variable to the query? should i prepare it in some way before it gets in the query (Because SQL Injection). Or does the $wpdb->prepare make the variable safe to use in the query?

    Robert Chapin

    (@miqrogroove)

    WordPress does not currently offer a “safe” facility for LIKE values. Prepare is better than nothing for now. You might be interested in the discussion at http://core.trac.wordpress.org/ticket/10041

    vtxyzzy

    (@vtxyzzy)

    I don’t know what you are expecting to match, but perhaps you could limit the length, and only allow letters, digits and spaces.

    ide79

    (@ide79)

    That will be probably the best way to reduce some risk of SQL injection. I think there should be a function like in DW GetSQLValueString.

    ide79

    (@ide79)

    Off topic question: (mysql)
    Is it possible to make a “switch” in mysql select like this.

    SELECT * FROM CARS
    WHERE cartype='honda'
    CASE %s
    WHEN 'listall' THEN
    AND subcartype like '%%' end
    ELSE
    AND subcartype = %s end

    // if case listall then list all honda>subcartype else get the value %s
    // Or should i make 2 queries with case statement

    ide79

    (@ide79)

    Ignore the last question. That was a stupid one.
    Too little sleep too much code. 🙂

    vtxyzzy

    (@vtxyzzy)

    Been there. Done that. Didn’t learn, will do again.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘how to use wpdb->prepare and LIKE’ is closed to new replies.