Do i need to filter my variable before selecting something from database with PDO?

Question

I have a variable $Search and i want this query

$sel=$con->prepare("SELECT * FROM users WHERE Username LIKE '%{:src}%'");
$sel->bindValue(":src",$Search);
$sel->execute();

I wanted to know if it's safe for me to do this query without doing any filtration on user's input.

it should be `$sel->bindValue(":src",'%'.$Search.'%');`. and your query should be `$sel=$con->prepare("SELECT * FROM users WHERE Username LIKE :src");` And yes, it will be safe. — Dimi, Jun 02 '17 at 16:47
Or you can do `LIKE CONCAT('%', :src, '%')` and bind it like you are. — Qirel, Jun 02 '17 at 16:54

AbraCadaver · Accepted Answer · 2017-06-02T16:58:37.340

0

Prepared statements quote your data for you, but for your query to work you need to do it this way:

$Search = "%$Search%";
$sel = $con->prepare("SELECT * FROM users WHERE Username LIKE :src");
$sel->bindValue(":src", $Search, PDO::PARAM_STR);

Or directly:

$sel = $con->prepare("SELECT * FROM users WHERE Username LIKE :src");
$sel->bindValue(":src", "%$Search%", PDO::PARAM_STR);

If you use bindParam() you need to use the first option as it needs a variable as a reference.

edited Jun 02 '17 at 16:58

answered Jun 02 '17 at 16:49

AbraCadaver

Thanks,but i think you should delete `{` brackets – sasasasa Jun 02 '17 at 16:56
1

Why? You had them in your query, did you not want them? I took them out, but since you had them I thought it was part of the data you were looking for. – AbraCadaver Jun 02 '17 at 16:57

1 Answers1