I want to make our search module be able to search keywords like *lex. Using * to substitute the letters before that. I found the % I add into my query doesn't work and returns error. Please help me to have a look at my code. thanks
if(substr($searchfirst_name, 0, 1) == '*'){
$subquery .= " AND first_name LIKE %".Formatter::s开发者_运维问答ql($searchfirst_name);
}elseif(substr($searchfirst_name, -1, 1) == '*'){
$subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name)."%";
}else{
$subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name);
}
I think the problem is because of the function Formatter::sql(). It filter the variable and add slash to it. How do I modify or create a new function to do this?
public static function sql($value, $fieldName = false) {
if($fieldName) {
return '`' . $value . '`';
}
else if( is_string($value) ) {
return '\'' . addslashes($value) . '\'';
}
else if($value === null) {
return 'NULL';
}
else if($value === true) {
return 1;
}
else if($value === false) {
return 0;
}
else if( is_numeric($value) ) {
return $value;
}
else {
return '\'' . addslashes($value) . '\'';
}
}
You have to use quotes I think:
LIKE '%...'
or LIKE '...%'
EDITED:
Well, the error is clear now:
query run using formatter is like .... LIKE %'....'
which is completely wrong.
When you use LIKE
clause don't use formatter, but use $searchfirst_name
directly!!
Try this
if(substr($searchfirst_name, 0, 1) == '*'){
$subquery .= " AND first_name LIKE '%".Formatter::sql($searchfirst_name)."'";
}elseif(substr($searchfirst_name, -1, 1) == '*'){
$subquery .= " AND first_name LIKE '".Formatter::sql($searchfirst_name)."%'";
}else{
$subquery .= " AND first_name LIKE '".Formatter::sql($searchfirst_name)."'";
}
The first two look ok, but your third else cannot be LIKE. See below.
if(substr($searchfirst_name, 0, 1) == '*'){
$subquery .= " AND first_name LIKE %".Formatter::sql($searchfirst_name);
}elseif(substr($searchfirst_name, -1, 1) == '*'){
$subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name)."%";
}else{
$subquery .= " AND first_name = ".Formatter::sql($searchfirst_name);
}
You had an % outside of string quotes and you probably need to get rid of * characters too
So instead of whole if contruct:
$subquery .= " AND first_name LIKE ".str_replace('*','%',Formatter::sql($searchfirst_name));
but beware this gives the functionality to substitute * everywhere in the string
Just do:
if(substr($searchfirst_name, 0, 1) == '*'){
$subquery .= " AND first_name LIKE ".Formatter::sql('%'.$searchfirst_name);
}elseif(substr($searchfirst_name, -1, 1) == '*'){
$subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name.'%');
}else{
$subquery .= " AND first_name LIKE ".Formatter::sql($searchfirst_name);
}
This will work because the escape functionality in Formatter::sql
won't affect teh '%'
In your sql
function, replace addslashes
with the database provided escape function, e.g., mysql_real_escape_string. Always use the database mechanism for escaping strings (or better yet, use parameterized queries with PDO).
精彩评论