P粉7225212042023-08-23 09:18:33
For those using named parameters, here's how to do a % partial match using LIKE in a MySQL database:
WHERE column_name LIKE CONCAT('%', :dangerousstring, '%')
The named parameter is :dangerousstring.
In other words, you use explicit unescaped % symbols in your queries, which are separate from user input.
EDIT: For Oracle Database, the join syntax uses the join operator: ||, so it will simplify to:
WHERE column_name LIKE '%' || :dangerousstring || '%'
However, as @bobince mentioned here, there are some caveats:
Therefore, there are other things to pay attention to when combining like and parameterization.
P粉7318612412023-08-23 00:34:09
I found the answer after posting:
$query = $database->prepare('SELECT * FROM table WHERE column LIKE ?');
$query->execute(array('value%'));
while ($results = $query->fetch())
{
echo $results['column'];
}