1

Quick question: How do I mysqli_escape_string a variable enclosed in a like clause? 

"SELECT * FROM table WHERE name LIKE '%". %s . "%'"

or 

"SELECT * FROM table WHERE name like '%"."%s"."%'"

don't work.

Thanks!

Syscall
  • 19,327
  • 10
  • 37
  • 52
Dirk
  • 6,774
  • 14
  • 51
  • 73
  • 1
    Or, if you want to avoid having to deal with escaping entirely, you should use parameters: SELECT * FROM table WHERE name LIKE ?, where the first parameter has value "%$search%" or the like. – C. K. Young Aug 18 '09 at 17:22

1 Answers1

5
$value = mysql_real_escape_string($_POST["terms"]);
$query = "SELECT * FROM table WHERE name LIKE '%".$value."%'";

Or you could acheive this with sprintf like this:

$query = sprintf("SELECT * FROM table WHERE name LIKE '%s'", "%".$value."%");
Sampson
  • 265,109
  • 74
  • 539
  • 565
  • Hm let me check that out real quick -- I've been accustomed to sprintf("SELECT ", mysqli_escape_string($link, $var)) – Dirk Aug 18 '09 at 17:23
  • I fixed it to work using your method, but was unable to make it work with sprintf – Dirk Aug 18 '09 at 17:28